vm2 sandbox escape: 13 critical vulnerabilities allow arbitrary code execution

Thirteen critical vulnerabilities in the vm2 Node.js sandboxing library, including CVE-2026-26956 (CVSS 9.8), allow attackers to escape the sandbox and execute arbitrary code on the host system, with proof-of-concept exploits publicly available. The most critical flaw originates from erroneous handling of exceptions crossing between sandboxed environment and host, bypassing vm2's sanitization entirely. Patrik Simek (vm2 maintainer) patched most in version 3.11.2, but two CVEs (CVE-2026-44008 and CVE-2026-44009) remain completely unpatched as of May 8, 2026.