The Hacker News

Critical vm2 Node.js Flaw Allows Sandbox Escape and Arbitrary Code Execution

A critical vm2 Node.js vulnerability (CVE-2026-22709, CVSS 9.8) allows sandbox escape via Promise handler bypass.
SecurityWeek

N8n Vulnerabilities Could Lead to Remote Code Execution

Two vulnerabilities in n8n’s sandbox mechanism could be exploited for remote code execution (RCE) on the host system.

New sandbox escape flaw exposes n8n instances to RCE attacks

Two vulnerabilities in the n8n workflow automation platform could allow attackers to fully compromise affected instances, access sensitive data, and execute arbitrary code on the underlying host.
CSO Online

Critical RCE bugs expose the n8n automation platform to host‑level compromise

A JavaScript sandbox bug rated CVSS 9.9 enables attackers to bypass AST‑based protections, while a Python execution bypass ...
SecurityWeek

‘PackageGate’ Flaws Open JavaScript Ecosystem to Supply Chain Attacks

Vulnerabilities in the NPM, PNPM, VLT, and Bun package managers could lead to protection bypasses and arbitrary code ...

Critical sandbox escape flaw found in popular vm2 NodeJS library

A critical-severity vulnerability in the vm2 Node.js sandbox library, tracked as CVE-2026-22709, allows escaping the sandbox and executing arbitrary code on the underlying host system.
The Hacker News

SmarterMail Fixes Critical Unauthenticated RCE Flaw with CVSS 9.3 Score

SmarterTools fixed critical SmarterMail flaws, including CVSS 9.3 unauthenticated RCE and NTLM relay bugs, urging users to ...
Threat Post

Critical Magento Flaws Allow Code Execution

Adobe has released patches for critical and important-severity flaws in its popular Magento e-commerce platform. Critical flaws in Adobe’s Magento e-commerce platform – which is commonly targeted by ...