CVE-2026-43998

HighPublic PoC

Published: 13 May 2026

Published

13 May 2026

Modified

14 May 2026

KEV Added

—

Patch

—

CVSS Score 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0020 41.8th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-43998 is a high-severity Link Following (CWE-59) vulnerability in Vm2 Project Vm2. Its CVSS base score is 8.5 (High).

Operationally, ranked at the 41.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

NVD Description

vm2 is an open source vm/sandbox for Node.js. In 3.10.5, NodeVM's require.root path restriction can be bypassed using filesystem symlinks, allowing sandboxed code to load modules from outside the allowed root directory in host context. Because path validation uses path.resolve()…

(which does not dereference symlinks) but module loading uses Node's native require() (which does), an attacker can load arbitrary host-realm modules and achieve remote code execution. This vulnerability is fixed in 3.11.0.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-59

Affected Products

vm2 project

vm2

3.10.5

References

https://github.com/patriksimek/vm2/security/advisories/GHSA-cp6g-6699-wx9c
Exploit, Mitigation, Vendor Advisory · security-advisories@github.com
https://github.com/patriksimek/vm2/security/advisories/GHSA-cp6g-6699-wx9c
Exploit, Mitigation, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0