A critical sandbox escape vulnerability (CVE-2026-26956) in the vm2 Node.js library allows attackers to execute arbitrary OS commands by leveraging WebAssembly.JSTag via VM.run(). The flaw affects versions 0.2.2 through 3.10.4 on Node.js runtimes exposing this tag, prompting the release of vm2 3.10.5 and a free Certified Patch from Socket to remove the tag from the sandbox environment.