Most recent sightings.

Most recent sightings. https://vulnerability.circl.lu Contains only the most 10 recent sightings. http://www.rssboard.org/rss-specification python-feedgen en Thu, 07 May 2026 05:49:19 +0000 7ecf264b-d3ca-42fb-b5f2-129d5e2e50aa https://vulnerability.circl.lu/sighting/7ecf264b-d3ca-42fb-b5f2-129d5e2e50aa/export {"uuid": "7ecf264b-d3ca-42fb-b5f2-129d5e2e50aa", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-24120", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3ml2ckkquyt2l", "content": "\ud83d\udd34 CVE-2026-24120 - Critical (9.8)\n\nvm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-24120/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-05-04T18:30:48.520546Z"} {"uuid": "7ecf264b-d3ca-42fb-b5f2-129d5e2e50aa", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-24120", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3ml2ckkquyt2l", "content": "\ud83d\udd34 CVE-2026-24120 - Critical (9.8)\n\nvm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-24120/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-05-04T18:30:48.520546Z"} https://vulnerability.circl.lu/sighting/7ecf264b-d3ca-42fb-b5f2-129d5e2e50aa/export Mon, 04 May 2026 18:30:48 +0000 d345441c-e8d0-401d-bfe3-f211bf1c5b28 https://vulnerability.circl.lu/sighting/d345441c-e8d0-401d-bfe3-f211bf1c5b28/export {"uuid": "d345441c-e8d0-401d-bfe3-f211bf1c5b28", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-24120", "type": "seen", "source": "https://gist.github.com/alon710/f3beac366d11264132c16ea4f9f1b920", "content": "# CVE-2026-24120: CVE-2026-24120: Remote Code Execution via Promise Species Hijacking in vm2 Sandbox\n\n> **CVSS Score:** 9.8\n> **Published:** 2026-05-05\n> **Full Report:** https://cvereports.com/reports/CVE-2026-24120\n\n## Summary\nAn incomplete mitigation for a previous sandbox escape in the vm2 Node.js module allows attackers to execute arbitrary code on the host system. By manipulating Promise species and intercepting internal method calls via prototype pollution, attackers bypass sandbox protections and gain full host access.\n\n## TL;DR\nvm2 prior to version 3.10.5 contains a critical sandbox escape (CVSS 9.8). Attackers bypass internal security wrappers by overwriting Function.prototype.call and hijacking Promise creation, achieving unauthenticated remote code execution on the host system.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-94, CWE-693\n- **Attack Vector**: Network\n- **CVSS Score**: 9.8 (Critical)\n- **EPSS Score**: 0.00080 (23.22%)\n- **Exploit Status**: Proof of Concept Available\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Node.js applications running vm2 versions < 3.10.5\n- **vm2**: < 3.10.5 (Fixed in: `3.10.5`)\n\n## Mitigation\n\n- Upgrade vm2 to version 3.10.5 immediately\n- Migrate to alternative isolation technologies (WebAssembly, Docker, Firecracker)\n- Implement strong EDR rules to detect child_process spawning from Node.js\n\n**Remediation Steps:**\n1. Identify all projects and transitive dependencies relying on vm2.\n2. Update package.json and lockfiles to enforce vm2 >= 3.10.5.\n3. Run unit and integration tests to ensure standard functionality remains unaffected by the update.\n4. Initiate an architectural review to deprecate usage of V8-based sandboxing for untrusted code execution.\n\n## References\n\n- [GitHub Release v3.10.5](https://github.com/patriksimek/vm2/releases/tag/v3.10.5)\n- [GitHub Security Advisory GHSA-qvjj-29qf-hp7p](https://github.com/patriksimek/vm2/security/advisories/GHSA-qvjj-29qf-hp7p)\n- [Fix Commit 4b009c2d4b1131c01810c1205e641d614c322a29](https://github.com/patriksimek/vm2/commit/4b009c2d4b1131c01810c1205e641d614c322a29)\n- [Red Hot Cyber - Latest Critical Vulnerabilities Analysis](https://www.redhotcyber.com/en/latest-critical-vulnerabilities/)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-24120) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-05T16:40:29.000000Z"} {"uuid": "d345441c-e8d0-401d-bfe3-f211bf1c5b28", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-24120", "type": "seen", "source": "https://gist.github.com/alon710/f3beac366d11264132c16ea4f9f1b920", "content": "# CVE-2026-24120: CVE-2026-24120: Remote Code Execution via Promise Species Hijacking in vm2 Sandbox\n\n> **CVSS Score:** 9.8\n> **Published:** 2026-05-05\n> **Full Report:** https://cvereports.com/reports/CVE-2026-24120\n\n## Summary\nAn incomplete mitigation for a previous sandbox escape in the vm2 Node.js module allows attackers to execute arbitrary code on the host system. By manipulating Promise species and intercepting internal method calls via prototype pollution, attackers bypass sandbox protections and gain full host access.\n\n## TL;DR\nvm2 prior to version 3.10.5 contains a critical sandbox escape (CVSS 9.8). Attackers bypass internal security wrappers by overwriting Function.prototype.call and hijacking Promise creation, achieving unauthenticated remote code execution on the host system.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-94, CWE-693\n- **Attack Vector**: Network\n- **CVSS Score**: 9.8 (Critical)\n- **EPSS Score**: 0.00080 (23.22%)\n- **Exploit Status**: Proof of Concept Available\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Node.js applications running vm2 versions < 3.10.5\n- **vm2**: < 3.10.5 (Fixed in: `3.10.5`)\n\n## Mitigation\n\n- Upgrade vm2 to version 3.10.5 immediately\n- Migrate to alternative isolation technologies (WebAssembly, Docker, Firecracker)\n- Implement strong EDR rules to detect child_process spawning from Node.js\n\n**Remediation Steps:**\n1. Identify all projects and transitive dependencies relying on vm2.\n2. Update package.json and lockfiles to enforce vm2 >= 3.10.5.\n3. Run unit and integration tests to ensure standard functionality remains unaffected by the update.\n4. Initiate an architectural review to deprecate usage of V8-based sandboxing for untrusted code execution.\n\n## References\n\n- [GitHub Release v3.10.5](https://github.com/patriksimek/vm2/releases/tag/v3.10.5)\n- [GitHub Security Advisory GHSA-qvjj-29qf-hp7p](https://github.com/patriksimek/vm2/security/advisories/GHSA-qvjj-29qf-hp7p)\n- [Fix Commit 4b009c2d4b1131c01810c1205e641d614c322a29](https://github.com/patriksimek/vm2/commit/4b009c2d4b1131c01810c1205e641d614c322a29)\n- [Red Hot Cyber - Latest Critical Vulnerabilities Analysis](https://www.redhotcyber.com/en/latest-critical-vulnerabilities/)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-24120) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-05T16:40:29.000000Z"} https://vulnerability.circl.lu/sighting/d345441c-e8d0-401d-bfe3-f211bf1c5b28/export Tue, 05 May 2026 16:40:29 +0000