32 matches found
VulnCheck KEV: CVE-2026-45321
On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/ packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself...
Exploit for Embedded Malicious Code in Tanstack Tanstack\/Arktype-Adapter
Simulasi Supply Chain Attack — CVE-2026-45321 TanStack Ed...
CVE-2026-45321
creationtimestamp| type| source ---|---|--- 2026-05-12 12:20:35+00:00| seen| https://bsky.app/profile/dameyiwu.bsky.social/post/3mlnrlvzty22x 2026-05-12 15:00:07+00:00| seen| Telegram/88YkBdmMMIAUjkN-cy3WAm2Yboedxaf0GfTYOA3KafU0qTc 2026-05-12 18:40:06+00:00| seen| https://t.me/truesecator/8195...
CVE-2026-45321
On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/ packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself...
@stacker-oss/cli (>=0.1.0 <=0.1.2), @sykoramaros/marosh-components (>=0.0.6 <=0.1.17) +2 more potentially affected by CVE-2026-45321 via @tanstack/router-cli (=1.166.43)
@tanstack/router-cli NPM version =1.166.43 is affected by a known vulnerability. The following packages have a transitive dependency on @tanstack/router-cli and may be impacted: - @stacker-oss/cli =0.1.0, =0.0.6, =0.0.4, =0.0.2, =0.0.3 Source cves: CVE-2026-45321 Source advisory:...
@abhishekbarve/react-components (>=1.0.1 <=1.0.8), @adpush/start (>=1.87.15 <=1.87.16) +148 more potentially affected by CVE-2026-45321 via @tanstack/router-generator (>=1.10.0 <=1.166.42)
@tanstack/router-generator NPM version =1.10.0, =1.0.1, =1.87.15, =0.1.0, =0.0.2-canary.11, =1.0.0, =0.0.1, =0.5.2, =0.1.1, =0.0.4, =0.1.0, =1.0.0, =0.2.0, =0.2.0, =0.2.12 - @dauphaihau/react-template =1.0.0 and more Source cves: CVE-2026-45321 Source advisory:...
@leeforge/fusion (=0.1.0), @nativescript/tanstack-router (>=0.0.1 <=0.1.2) +6 more potentially affected by CVE-2026-45321 via @tanstack/solid-router (>=1.121.0-alpha.28 <=1.169.2)
@tanstack/solid-router NPM version =1.121.0-alpha.28, =0.0.1, =1.20.3-alpha.1, =1.20.3-alpha.1, =1.20.3-alpha.1, =0.1.0, =1.0.15 Source cves: CVE-2026-45321 Source advisory: SNYK:JS-TANSTACKSOLIDROUTER-16640230...
@tanstack/vue-start (>=1.141.0 <=1.167.58), @tanstack/vue-start-client (>=1.141.0 <=1.166.43) +1 more potentially affected by CVE-2026-45321 via @tanstack/vue-router (>=1.141.0 <=1.169.2)
@tanstack/vue-router NPM version =1.141.0, =1.141.0, =1.141.0, =1.141.0, =1.166.47 Source cves: CVE-2026-45321 Source advisory: SNYK:JS-TANSTACKVUEROUTER-16640252...
@alivault/pico (>=0.1.0 <=0.1.2), @ardeora/start-devtools (>=1.0.0 <=1.0.1) +92 more potentially affected by CVE-2026-45321 via @tanstack/react-start-server (>=1.121.0-alpha.28 <=1.166.52)
@tanstack/react-start-server NPM version =1.121.0-alpha.28, =0.1.0, =1.0.0, =0.0.1, =0.5.2, =0.1.1, =0.0.4, =1.0.0, =0.2.0, =0.2.0, =0.1.1, =0.2.0, =0.2.0, =0.1.14, =0.1.0, =0.1.38 and more Source cves: CVE-2026-45321 Source advisory: SNYK:JS-TANSTACKREACTSTARTSERVER-16640213...
@ardeora/start-devtools (>=1.0.0 <=1.0.1), @brendonovich/solidjs__start (>=0.0.0 <=0.0.3) +39 more potentially affected by CVE-2026-45321 via @tanstack/router-utils (>=1.121.0-alpha.28 <=1.158.0)
@tanstack/router-utils NPM version =1.121.0-alpha.28, =1.0.0, =0.0.0, =1.0.0, =1.0.11, =0.1.0, =1.1.0, =1.121.0-alpha.28, =1.20.3-alpha.1, =1.111.10, =1.20.3-alpha.1, =1.111.10, =1.111.10, =1.121.0-alpha.28, =1.161.3 and more Source cves: CVE-2026-45321 Source advisory:...
@solidjs-email/dev-server (=2.0.0) potentially affected by CVE-2026-45321 via @tanstack/solid-start (=1.167.62)
@tanstack/solid-start NPM version =1.167.62 is affected by a known vulnerability. The following packages have a transitive dependency on @tanstack/solid-start and may be impacted: - @solidjs-email/dev-server =2.0.0 Source cves: CVE-2026-45321 Source advisory: SNYK:JS-TANSTACKSOLIDSTART-16640237...
@alivault/pico (>=0.1.0 <=0.1.2), @ardeora/start-devtools (>=1.0.0 <=1.0.1) +92 more potentially affected by CVE-2026-45321 via @tanstack/react-start-client (>=1.121.0-alpha.28 <=1.166.48)
@tanstack/react-start-client NPM version =1.121.0-alpha.28, =0.1.0, =1.0.0, =0.0.1, =0.5.2, =0.1.1, =0.0.4, =1.0.0, =0.2.0, =0.2.0, =0.1.1, =0.2.0, =0.2.0, =0.1.14, =0.1.0, =0.1.38 and more Source cves: CVE-2026-45321 Source advisory: SNYK:JS-TANSTACKREACTSTARTCLIENT-16640209...
@abhishekbarve/react-components (>=1.0.1 <=1.0.8), @adpush/start (>=1.87.15 <=1.87.16) +141 more potentially affected by CVE-2026-45321 via @tanstack/router-plugin (>=1.121.0-alpha.28 <=1.167.4)
@tanstack/router-plugin NPM version =1.121.0-alpha.28, =1.0.1, =1.87.15, =0.1.0, =0.0.2-canary.11, =1.0.0, =0.0.1, =0.5.2, =0.1.1, =0.0.4, =0.1.0, =1.0.0, =0.2.0, =0.2.0, =0.2.12 - @dauphaihau/react-template =1.0.0 and more Source cves: CVE-2026-45321 Source advisory:...
@8btc/finance-assistant-mcp (>=0.0.1 <=0.0.69), @8btc/office-assistant-mcp (>=0.0.1 <=0.0.26-beta.1) +106 more potentially affected by CVE-2026-45321 via @tanstack/router-devtools-core (>=1.120.19 <=1.167.3)
@tanstack/router-devtools-core NPM version =1.120.19, =0.0.1, =0.0.1, =0.0.1-alpha.14, =0.1.0, =0.0.4, =0.1.0, =0.2.0, =0.2.0, =1.0.0, =0.1.0, =2.0.1-alpha-20260224145405, =2.0.1-alpha.6 - @ezshare/cli =0.0.0 - @ezshare/lib =0.0.0 - @ezshare/web =0.0.0 and more Source cves: CVE-2026-45321 Source...
@alivault/pico (>=0.1.0 <=0.1.2), @ardeora/start-devtools (>=1.0.0 <=1.0.1) +120 more potentially affected by CVE-2026-45321 via @tanstack/start-client-core (>=1.121.0-alpha.28 <=1.168.2)
@tanstack/start-client-core NPM version =1.121.0-alpha.28, =0.1.0, =1.0.0, =0.0.1, =0.5.2, =0.1.1, =0.0.4, =1.0.0, =0.2.0, =0.2.0, =0.1.1, =0.2.0, =0.2.0, =0.1.14, =0.1.0, =0.1.38 and more Source cves: CVE-2026-45321 Source advisory: SNYK:JS-TANSTACKSTARTCLIENTCORE-16640238...
@alivault/pico (>=0.1.0 <=0.1.2), @ardeora/start-devtools (>=1.0.0 <=1.0.1) +97 more potentially affected by CVE-2026-45321 via @tanstack/start-plugin-core (>=1.121.0-alpha.28 <=1.169.20)
@tanstack/start-plugin-core NPM version =1.121.0-alpha.28, =0.1.0, =1.0.0, =0.0.1, =0.5.2, =0.1.1, =0.0.4, =1.0.0, =0.2.0, =0.2.0, =0.1.1, =0.2.0, =0.2.0, =0.1.14, =0.1.0, =0.1.38 and more Source cves: CVE-2026-45321 Source advisory: SNYK:JS-TANSTACKSTARTPLUGINCORE-16640240...
@8btc/finance-assistant-mcp (>=0.0.1 <=0.0.69), @8btc/office-assistant-mcp (>=0.0.1 <=0.0.26-beta.1) +457 more potentially affected by CVE-2026-45321 via @tanstack/react-router (>=1.0.0 <=1.169.2)
@tanstack/react-router NPM version =1.0.0, =0.0.1, =0.0.1, =0.1.0, =0.2.0, =1.0.0, =0.0.1-alpha.14, =0.1.0, =0.0.2-canary.11, =0.1.0, =1.0.0, =1.0.0, =0.0.1, =0.18.0, =0.19.0 and more Source cves: CVE-2026-45321 Source advisory: SNYK:JS-TANSTACKREACTROUTER-16640208...
@draftlab/auth (>=0.0.2 <=0.14.0) potentially affected by CVE-2026-45321 via @draftlab/auth-router (>=0.0.1 <=0.5.0)
@draftlab/auth-router NPM version =0.0.1, =0.0.2, =0.14.0 Source cves: CVE-2026-45321 Source advisory: SNYK:JS-DRAFTLABAUTHROUTER-16640350...
@alivault/pico (>=0.1.0 <=0.1.2), @ardeora/start-devtools (>=1.0.0 <=1.0.1) +109 more potentially affected by CVE-2026-45321 via @tanstack/start-server-core (>=1.121.0-alpha.28 <=1.167.30)
@tanstack/start-server-core NPM version =1.121.0-alpha.28, =0.1.0, =1.0.0, =0.0.1, =0.5.2, =0.1.1, =0.0.4, =1.0.0, =0.2.0, =0.2.0, =0.1.1, =0.2.0, =0.2.0, =0.1.14, =0.1.0, =0.1.38 and more Source cves: CVE-2026-45321 Source advisory: SNYK:JS-TANSTACKSTARTSERVERCORE-16640241...
@8btc/finance-assistant-mcp (>=0.0.1 <=0.0.69), @8btc/office-assistant-mcp (>=0.0.1 <=0.0.26-beta.1) +506 more potentially affected by CVE-2026-45321 via @tanstack/router-core (>=1.108.0 <=1.169.2)
@tanstack/router-core NPM version =1.108.0, =0.0.1, =0.0.1, =1.0.1, =1.87.15, =0.1.0, =0.2.0, =1.0.0, =0.0.1-alpha.14, =0.1.0, =0.0.2-canary.11, =0.1.0, =1.0.0, =1.0.0, =1.0.3 and more Source cves: CVE-2026-45321 Source advisory: SNYK:JS-TANSTACKROUTERCORE-16640218...