Ghostwire

CVE-2026-47137: vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE

CRITICAL CVSS 10.0 Exploit Available 3 PoC

Published: May 29, 2026 | Last Modified: May 29, 2026

Description

vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE

Ghostwire Analysis — What This Means Practically

Critical CVSS score indicates maximum severity — remote code execution, authentication bypass, or complete system compromise is likely possible.
3 proof-of-concept exploits available on GitHub. Public exploit code lowers the barrier for both researchers and attackers.

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

Proof-of-Concept Exploits (3)

patriksimek/vm2
patriksimek/vm2
patriksimek/vm2

Security Coverage (1 articles)

References

github.com/patriksimek/vm2/security/advisories/GHSA-m4wx-m65x-ghrr
github.com/patriksimek/vm2/commit/01a7552add345d5a6862623884e6b79a85bf0568
github.com/patriksimek/vm2/commit/86ab819f202c3a8dad88cef5705f2e416c5188d7
github.com/patriksimek/vm2/releases/tag/v3.11.4
github.com/advisories/GHSA-m4wx-m65x-ghrr
www.tenable.com/cve/CVE-2026-47137
www.cnnvd.org.cn/home/globalSearch?keyword=CVE-2026-47137