CVE-2026-43997

A dozen critical vm2 vulnerabilities disclosed on May 7, 2026 can let attackers escape Node.js sandboxes, run code on the host and bypass allowlists. Fixes are available in vm2 3.11.2 and earlier patch releases.