RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: prototype-pollution (2 articles)Clear
vulnerability
CVE-2026-43997CVE-2026-44005CVE-2026-44006CVE-2026-26956CVE-2026-24118CVE-2026-24120CVE-2026-24781CVE-2026-26332CVE-2026-43999CVE-2026-44007CVE-2026-44008
2026-05-06

vm2, the Node.js sandbox library used by 1.3 million projects to run untrusted code, just got hit with a dozen new bugs that let attackers escape the sandbox

vm2 maintainers disclosed a fresh batch of a dozen sandbox-escape vulnerabilities yesterday, including CVE-2026-43997, CVE-2026-44005, and CVE-2026-44006 - all CVSS 10.0. The library is used by 1.3 million weekly downloads worth of Node.js projects to run untrusted JavaScript inside a supposedly safe sandbox - online code runners, chatbots, automation tools, and SaaS platforms with user scripts. Each bug breaks the sandbox in a different way: prototype pollution, sandbox escape via inspect functions, allowlist bypass to reach child_process. vm2 was deprecated in 2023 over similar issues, then resurrected last October. Over 20 documented sandbox-escape bugs - the maintainer himself recommends Docker isolation instead.

vm2nodejssandbox-escapeprototype-pollutionjavascriptsupply-chain-precursorcvss-10isolated-vmdocker-isolation
Check
Search package.json and yarn.lock files across your codebase for vm2 dependencies. Check version - anything below 3.11.2 needs updating. Audit which features process attacker-controlled input through vm2.
Affected
vm2 versions 3.10.0 through 3.11.1. Patches landed in 3.11.0, 3.11.1, and 3.11.2. CVE-2026-43997, 44005, 44006 are CVSS 10.0. Acute risk: applications running user-supplied JavaScript through vm2 - chatbots, online code editors, automation platforms, and SaaS apps with custom-script features.
Fix
Upgrade vm2 to 3.11.2. For applications running attacker-controlled JavaScript, migrate off vm2 entirely - the maintainer recommends isolated-vm or Docker with logical separation. Don't rely on vm2 alone: combine with network isolation, filesystem restrictions, and ephemeral containers. Review CI/CD for transitive vm2 dependencies via 'npm ls vm2' - 885 packages directly depend on it.
defense
CVE-2026-34621
2026-04-12

Adobe releases emergency patch for actively exploited Acrobat Reader zero-day we reported Thursday (CVE-2026-34621)

Adobe has released an emergency security update (APSB26-43, priority-1) to patch CVE-2026-34621, the Adobe Reader zero-day we reported on April 10 that had been exploited since December 2025 via malicious PDF documents. The flaw has now been classified as a prototype pollution vulnerability leading to arbitrary code execution - more severe than the initial fingerprinting and data theft we described. Adobe confirmed it's worse than just information leakage: the underlying bug can achieve full RCE, not just the reconnaissance stage observed in early exploitation. CVSS was initially scored 9.6 but Adobe revised it down to 8.6 after changing the attack vector from Network to Local. EXPMON researcher Haifei Li, who first disclosed the flaw, was credited by Adobe. All users on Windows and macOS should update immediately - Adobe assigned this patch its highest priority rating.

adobe-readerzero-dayemergency-patchprototype-pollutionrceactively-exploited
Check
Update Adobe Acrobat and Reader immediately. If you disabled JavaScript in Reader based on our April 10 advisory, you should still update - the patch fixes the root cause.
Affected
All versions of Adobe Acrobat and Reader on Windows and macOS prior to the APSB26-43 patch. Adobe confirmed exploitation in the wild since at least December 2025.
Fix
Update Adobe Acrobat and Reader via Help > Check for Updates, or download from the Adobe Security Bulletin APSB26-43. This is a priority-1 patch - Adobe recommends installation within 72 hours. Keep Acrobat JavaScript disabled as defense-in-depth even after patching. Continue blocking the C2 indicator supp0v3[.]com and User-Agent string 'Adobe Synchronizer' at the network level.