CVE-2026-47209 - vm2: Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain
CVE ID :CVE-2026-47209 Published : June 12, 2026, 3:16 p.m. | 1 hour, 51 minutes ago Description :vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the BaseHandler.set trap in bridge.js (line 1231) ignores the receiver parameter and unconditionally writes to the host...