@ardeora/start-devtools (>=1.0.0 <=1.0.1), @carvajalconsultants/headstart (>=1.0.0 <=1.0.2) +27 more potentially affected by unknown CVE via @tanstack/start-server-core (>=1.121.0-alpha.28 <=1.167.3)

@tanstack/start-server-core NPM version =1.121.0-alpha.28, =1.0.0, =1.0.0, =0.0.14, =1.20.3-alpha.1, =1.111.10, =1.121.23, =0.0.1, =1.121.0-alpha.28, =1.20.3-alpha.1, =1.114.29, =1.121.23, =1.121.0-alpha.28, =1.97.4, =1.111.10, =1.121.0-alpha.28, =1.169.18 and more Source cves: unknown CVE Source...

@ardeora/start-devtools (>=1.0.0 <=1.0.1), @carvajalconsultants/headstart (>=1.0.0 <=1.0.2) +27 more potentially affected by unknown CVE via @tanstack/start-server-core (>=1.121.0-alpha.28 <=1.167.3)

@tanstack/start-server-core NPM version =1.121.0-alpha.28, =1.0.0, =1.0.0, =0.0.14, =1.20.3-alpha.1, =1.111.10, =1.121.23, =0.0.1, =1.121.0-alpha.28, =1.20.3-alpha.1, =1.114.29, =1.121.23, =1.121.0-alpha.28, =1.97.4, =1.111.10, =1.121.0-alpha.28, =1.169.18 and more Source cves: unknown CVE Source...

Access of Resource Using Incompatible Type ('Type Confusion')

Overview Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type 'Type Confusion' through an upstream type-confusion bug in seroval package. An attacker can trigger unintended execution of a different client-referenced server function by sending a specially...

@leeforge/fusion (=0.1.0), @nativescript/tanstack-router (>=0.0.1 <=0.1.2) +6 more potentially affected by unknown CVE via @tanstack/solid-router (>=1.121.0-alpha.28 <=1.169.2)

@tanstack/solid-router NPM version =1.121.0-alpha.28, =0.0.1, =1.20.3-alpha.1, =1.20.3-alpha.1, =1.20.3-alpha.1, =0.1.0, =1.0.15 Source cves: unknown CVE Source advisory: OSV:MAL-2026-3481...

MAL-2026-3486 Malicious code in @tanstack/solid-start-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a9f623ce85c893266087d3eeb9812938d0f3eea0ddb33cd735589c104dafb8e2 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @tanstack/solid-start-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a9f623ce85c893266087d3eeb9812938d0f3eea0ddb33cd735589c104dafb8e2 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

@solidjs-email/dev-server (=2.0.0), @tanstack/solid-start (>=1.20.3-alpha.1 <=1.167.62) potentially affected by unknown CVE via @tanstack/solid-start-server (>=1.121.0-alpha.28 <=1.166.51)

@tanstack/solid-start-server NPM version =1.121.0-alpha.28, =1.20.3-alpha.1, =1.167.62 Source cves: unknown CVE Source advisory: OSV:MAL-2026-3486...

Malicious code in @tanstack/start-server-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7db0631bb410a51551790c0b55b574d53aea5d7a677439e6f3cf877503317658 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

@alivault/pico (>=0.1.0 <=0.1.2), @ardeora/start-devtools (>=1.0.0 <=1.0.1) +109 more potentially affected by unknown CVE via @tanstack/start-server-core (>=1.121.0-alpha.28 <=1.167.30)

@tanstack/start-server-core NPM version =1.121.0-alpha.28, =0.1.0, =1.0.0, =0.0.1, =0.5.2, =0.1.1, =0.0.4, =1.0.0, =0.2.0, =0.2.0, =0.1.1, =0.2.0, =0.2.0, =0.1.14, =0.1.0, =0.1.38 and more Source cves: unknown CVE Source advisory: OSV:MAL-2026-3490...

MAL-2026-3490 Malicious code in @tanstack/start-server-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7db0631bb410a51551790c0b55b574d53aea5d7a677439e6f3cf877503317658 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-3500 Malicious code in @tanstack/vue-start-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 6a2e72fba4613219c26e8bfb79da1c3db3666a9e7dc945f1b064e95aa04a5ac5 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

@tanstack/vue-start (>=1.141.0 <=1.167.58) potentially affected by unknown CVE via @tanstack/vue-start-server (>=1.141.0 <=1.166.5)

@tanstack/vue-start-server NPM version =1.141.0, =1.141.0, =1.167.58 Source cves: unknown CVE Source advisory: OSV:MAL-2026-3500...

Malicious code in @tanstack/vue-start-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 6a2e72fba4613219c26e8bfb79da1c3db3666a9e7dc945f1b064e95aa04a5ac5 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @tanstack/react-start-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 048a583947c3ecbeb540293e0de5d513e84f0ea2793ca31ee5d2a76d4f750ddd Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

@alivault/pico (>=0.1.0 <=0.1.2), @ardeora/start-devtools (>=1.0.0 <=1.0.1) +92 more potentially affected by unknown CVE via @tanstack/react-start-server (>=1.121.0-alpha.28 <=1.166.52)

@tanstack/react-start-server NPM version =1.121.0-alpha.28, =0.1.0, =1.0.0, =0.0.1, =0.5.2, =0.1.1, =0.0.4, =1.0.0, =0.2.0, =0.2.0, =0.1.1, =0.2.0, =0.2.0, =0.1.14, =0.1.0, =0.1.38 and more Source cves: unknown CVE Source advisory: OSV:MAL-2026-3471...

MAL-2026-3471 Malicious code in @tanstack/react-start-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 048a583947c3ecbeb540293e0de5d513e84f0ea2793ca31ee5d2a76d4f750ddd Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

@alivault/pico (>=0.1.0 <=0.1.2), @ardeora/start-devtools (>=1.0.0 <=1.0.1) +92 more potentially affected by CVE-2026-45321 via @tanstack/react-start-server (>=1.121.0-alpha.28 <=1.166.52)

@tanstack/react-start-server NPM version =1.121.0-alpha.28, =0.1.0, =1.0.0, =0.0.1, =0.5.2, =0.1.1, =0.0.4, =1.0.0, =0.2.0, =0.2.0, =0.1.1, =0.2.0, =0.2.0, =0.1.14, =0.1.0, =0.1.38 and more Source cves: CVE-2026-45321 Source advisory: SNYK:JS-TANSTACKREACTSTARTSERVER-16640213...

@solidjs-email/dev-server (=2.0.0), @tanstack/solid-start (>=1.20.3-alpha.1 <=1.167.62) potentially affected by CVE-2026-45321 via @tanstack/solid-start-server (>=1.121.0-alpha.28 <=1.166.51)

@tanstack/solid-start-server NPM version =1.121.0-alpha.28, =1.20.3-alpha.1, =1.167.62 Source cves: CVE-2026-45321 Source advisory: SNYK:JS-TANSTACKSOLIDSTARTSERVER-16640235...

@alivault/pico (>=0.1.0 <=0.1.2), @ardeora/start-devtools (>=1.0.0 <=1.0.1) +109 more potentially affected by CVE-2026-45321 via @tanstack/start-server-core (>=1.121.0-alpha.28 <=1.167.30)

@tanstack/start-server-core NPM version =1.121.0-alpha.28, =0.1.0, =1.0.0, =0.0.1, =0.5.2, =0.1.1, =0.0.4, =1.0.0, =0.2.0, =0.2.0, =0.1.1, =0.2.0, =0.2.0, =0.1.14, =0.1.0, =0.1.38 and more Source cves: CVE-2026-45321 Source advisory: SNYK:JS-TANSTACKSTARTSERVERCORE-16640241...

@tanstack/vue-start (>=1.141.0 <=1.167.58) potentially affected by CVE-2026-45321 via @tanstack/vue-start-server (>=1.141.0 <=1.166.5)

@tanstack/vue-start-server NPM version =1.141.0, =1.141.0, =1.167.58 Source cves: CVE-2026-45321 Source advisory: SNYK:JS-TANSTACKVUESTARTSERVER-16640255...