CVE-2026-26956 - vm2: WASM Sandbox Escape (Node 25 only)

vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and runs host commands with zero host cooperation. This issue has been patched in version 3.10.5.

https://app.opencve.io/cve/CVE-2026-26956

If you’re not going to show the source code, there’s absolutely no point in using GitHub.

As for getting paid, I hadn’t seen gumroad before, nice, but failing the access to the source, it’s unlikely I’d buy/pay for unknown software and install it sight unseen on anything I care about.

From a security perspective, in my opinion this is a disaster waiting to happen.

Pandoc will convert markdown to a PDF in portrait or landscape and there’s even “beamer” support, aka data projector or presentation support.

Why run Docker Desktop when it’s installable as a cli service?

What are you actually trying to achieve?

Tah. I’ll have a look see.

Not sure how, or if, I’d want to install an Arch package under Debian, but it’s my understanding that the package I’ve raised a bug for under Debian implements, or is supposed to at least, the functionality you’re describing.

What I haven’t found is a recipe that documents exactly how it’s supposed to work (not to mention, in a Debian way).

I’d love to discover something that doesn’t start with instructions to remove all pipewire packages and install from source, since that completely defeats the purpose of running Debian Stable as the host.

In my adventures I did look at this, but it appears to require that you install support for this inside the guest, which is possible for modern guests, but not for ancient ones like say Debian Wheezy or Win98se.

Just added the link.

I’m not sure if we’re talking about the same thing. One of the recent leaks had code that pretended to be a developer, so you could pick if it submitted a PR as Assumed Intelligence, or as a person.

I’ll see if I can find a reference.

Edit: Undercover Mode in Claude Code:

https://alex000kim.com/posts/2026-03-31-claude-code-source-leak/#undercover-mode-ai-that-hides-its-ai

Hold on, wasn’t one of the “features” of the “leaked” Assumed Intelligence source code the “human”-like version?

While this doesn’t answer your question, I use Docker for this exact purpose, since you can throw away everything if it fails, whilst keeping a recipe for success documented in a Dockerfile.

Given that you’re having issues with the DNS, I’d look at this.

Specifically, are you using the ISP DNS as an upstream lookup, or have you configured another DNS as the upstream?

Is the ISP DNS locking you out because you’re hammering it?

Does the ISP block traffic on Port 53?

When you’re having issues, can you look up addresses using a different DNS?

How is your DNS configured / implemented?

You do understand that California is not the centre of the universe, that states within the United States of America don’t agree on how to conduct voting, let alone agree on laws and finally, that there are 8.3 billion people on this planet, 96% of whom don’t live in, or are subject to laws made in the USA.

I’m sorry, but no.

Age validation is surveillance under the guise of “protecting the children”, which it spectacularly fails at for more reasons than I can count.

1. Everyone has to validate their age, which creates a whole infrastructure that require documents that “prove” your age.
2. A verified “under age” user will be added to a database by unscrupulous players, creating a honeypot for predators.
3. Age verification isn’t universal, isn’t uniform and regardless of the jurisdiction in which it’s implemented, won’t actually prevent content from being procured from sources outside that jurisdiction.
4. One source of objectionable content is another’s entertainment, legally so, given that laws are made in isolation from each other across borders.
5. The result of such legislation is the effective censorship of content that some lawmaker finds objectionable, which will cause more harm than good.
6. Operating System level age verification on open source platforms will spectacularly fail since they’re published outside the jurisdiction.

So … no.

I understand your point and agree that this is the thin end of the wedge.

What we’re doing here is discussing the phenomenon and I’m highlighting some concerns.

I believe that this is how you get a dialogue happening which will effect change, which is what we’re both advocating.

I think that age verification is about surveillance rather than protecting children and I think it should be fought at every level.

This is me contributing to that fight.

In my opinion, storing a date is pretty much irrelevant unless there’s a process that validates the supplied date, otherwise every Linux user was born on 1/1/1, if not, an administrator can “fix” that

Furthermore, that systemd thinks that it’s the place to store such information is in my opinion beyond absurd.

Who appointed that project the source of age truth in the Linux ecosystem? What discussion was there, who was consulted and where was the vote?

I have it and I use it daily and I absolutely hate it. The latest MacOS Tahoe is an abomination.

It’s unstable, it sleeps monitors connected over USB-C while in use, Bluetooth audio pairing randomly doesn’t work, the virtualisation engine is crash prone, X11 integration magically stopped working a year ago and nobody seems to care.

Permissions are impenetrable, sshfs and fuse requires a kernel module and repeated reboots and permissions to be enabled.

I’m forced to have an OS update, requiring a reboot, to support a new model that I’m not running.

There’s no native package manager so applications just throw their shit all over the filesystem and the alternatives, Homebrew, Anaconda and MacPorts each have system breaking problems.

So … no. It absolutely sucks.

And here’s the kicker, it’s still better than Microsoft Windows.

Given the history of A/UX, I’d be surprised if System V didn’t have an oar in the water too.

At first glance IP address or URL, embedded in HTML, whatever it is, it’s a doozy. I wonder what the performance of it is like.