CVE-2026-44002

Published: Mag 13, 2026 Last Modified: Mag 13, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 5,8

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: changed

Confidentiality: low

Integrity: none

Availability: none

Description

AI Translation Available

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's CallSite wrapper class (intended as a safe wrapper for V8's native CallSite) blocks getThis() and getFunction() to prevent host object leakage, but allows getFileName() to return unsanitized host absolute paths. Any sandboxed code can extract the full directory structure, library paths, and framework versions of the host server. This vulnerability is fixed in 3.11.0.

209

Generation of Error Message Containing Sensitive Information

Draft

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality

Potential Impacts:

Read Application Data

Applicable Platforms

Languages: Java, Not Language-Specific, PHP

Likelihood of Exploit: High

View CWE Details

https://github.com/patriksimek/vm2/security/advisories/GHSA…

https://github.com/patriksimek/vm2/security/advisories/GHSA-v27g-jcqj-v8rw

CVE-2026-44002

Description

Generation of Error Message Containing Sensitive Information

Common Consequences

Applicable Platforms

Iscriviti alla newsletter