Patriksimek - Vm2 - CRITICAL - CVE-2026-22709. In vm2 versions prior to 3.10.2, a significant vulnerability exists that allows the bypass of sanitization for `Promise.prototype.then` and `Promise.prototype.catch` callbacks. This flaw enables attackers to escape the sandboxed environment, leading to the execution of arbitrary code. The issue is rooted in the lack of sanitization for the global promise callbacks, while local promise callbacks were adequately protected. An update to version 3.10.2 resolves this critical security lapse.