{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-47139/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-06-12T16:07:53.050Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-47139","@id":"https://www.cve.org/CVERecord?id=CVE-2026-47139","description":"vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM supports excluding public network builtins from the wildcard builtin option. With this configuration direct access to http, https, http2, net, dgram, tls, dns, and dns/promises is blocked. However, Node.js also exposes underscored internal HTTP builtins such as _http_client and _http_server. These are not blocked when the public modules are excluded. Sandboxed code can use these internal builtins to make outbound HTTP "},"products":[{"@id":"cpe:2.3:a:patriksimek:vm2:\\<_3.11.4:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:patriksimek:vm2:\\<_3.11.4:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"No fixed version is published yet; monitor the upstream advisory.","timestamp":"2026-06-12T16:07:53.050Z"}]}