vm2 sandbox escape strikes again: CVE-2026-24118 and the case against running untrusted JS in your Node process
Today’s CVE drop: a dozen vulnerabilities in vm2, the popular Node.js sandbox library, with three of them at CVSS 9.8 — full sandbox escape, arbitrary code execution on the host. CVE-2026-24118 leverages JavaScript’s __lookupGetter__ to break out. CVE-2026-24120 bypasses …