CVE-2026-26956: vm2 Sandbox Escape Enables Host RCE in Node.js 25

CVE-2026-26956 is a critical (CVSS 9.8) sandbox escape in the vm2 npm package (affecting vm2 3.10.4, fixed in 3.10.5+) that—when combined with Node.js 25 builds supporting WebAssembly exception handling and JSTag—allows attacker-controlled code executed in VM.run() to break out of the sandbox and achieve host process remote code execution; a working PoC exists and defenders are advised to upgrade, validate Node/runtime exposure, and apply defense-in-depth.