Hyland Alfresco allows unauthenticated attackers to read arbitrary files from protected directories (like WEB-INF) via the "/share/page/resource/" end...
Description
Hyland Alfresco allows unauthenticated attackers to read arbitrary files from protected directories (like WEB-INF) via the "/share/page/resource/" endpoint, thus leading to the disclosure of sensitive configuration files
Remediation
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
---METADATA---
VENDOR: Node.js (vm2)
PRODUCT: vm2
AFFECTED_VERSIONS: Prior to 3.11.0
---END_METADATA---
Description Summary:
A vulnerability involving
SuppressedErrorin the vm2 library allows attackers to escape the sandbox and execute arbitrary code on the host system.Executive Summary:
A critical sandbox breakout vulnerability in vm2 allows attackers to leverage
SuppressedErrorto execute arbitrary code on the host.Vulnerability Details
CVE-ID: CVE-2026-26332
Affected Software: vm2 (Node.js)
Affected Versions: Prior to 3.11.0
Vulnerability: The
SuppressedErrorobject in the vm2 environment can be manipulated to facilitate a sandbox escape. By exploiting this, an attacker can move outside the restricted environment and execute arbitrary code on the host.Business Impact
A CVSS score of 9.8 reflects the high severity of this sandbox escape. Exploitation could allow an attacker to gain full control over the host system, leading to complete data compromise and potential disruption of critical business processes.
Remediation Plan
Immediate Action: Update the vm2 dependency to version 3.11.0 or later to address this breakout vulnerability.
Proactive Monitoring: Monitor application logs for unexpected error patterns or unusual code execution sequences.
Compensating Controls: Run the Node.js application with minimal system privileges and use containerization to restrict access to the underlying host resources.
Exploitation Status
Public Exploit Available: No
Analyst Notes: As of May 4, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
The continued discovery of sandbox escapes in vm2 underscores the difficulty of maintaining a secure JavaScript sandbox. Updating the library is mandatory, but organizations should also assess the necessity of running untrusted code and consider more secure architectural alternatives.