@ardeora/start-devtools (>=1.0.0 <=1.0.1), @carvajalconsultants/headstart (>=1.0.0 <=1.0.2) +29 more potentially affected by unknown CVE via @tanstack/start-server-core (>=1.121.0-alpha.28 <=1.167.3)

@tanstack/start-server-core NPM version =1.121.0-alpha.28, =1.0.0, =1.0.0, =0.0.14, =0.3.0, =0.3.0, =1.20.3-alpha.1, =1.111.10, =1.121.23, =0.0.1, =1.121.0-alpha.28, =1.20.3-alpha.1, =1.114.29, =1.121.23, =1.121.0-alpha.28, =1.97.4, =1.120.20 and more Source cves: unknown CVE Source advisory:...

@tanstack/react-start (=1.166.4), @tanstack/react-start-client (=1.166.4) +11 more potentially affected by CVE-2026-45321 via @tanstack/start-storage-context (=1.166.4)

@tanstack/start-storage-context NPM version =1.166.4 is affected by a known vulnerability. The following packages have a transitive dependency on @tanstack/start-storage-context and may be impacted: - @tanstack/react-start =1.166.4 - @tanstack/react-start-client =1.166.4 -...

@tanstack/react-start (>=1.167.5 <=1.167.6), @tanstack/router-vite-plugin (=1.166.19) +3 more potentially affected by CVE-2026-45321 via @tanstack/router-plugin (=1.167.4)

@tanstack/router-plugin NPM version =1.167.4 is affected by a known vulnerability. The following packages have a transitive dependency on @tanstack/router-plugin and may be impacted: - @tanstack/react-start =1.167.5, =1.167.5, =1.167.8, =1.167.5, =1.167.6 Source cves: CVE-2026-45321 Source...

@tanstack/react-start (=1.167.25) potentially affected by CVE-2026-45321 via @tanstack/react-start-rsc (=0.0.5)

@tanstack/react-start-rsc NPM version =0.0.5 is affected by a known vulnerability. The following packages have a transitive dependency on @tanstack/react-start-rsc and may be impacted: - @tanstack/react-start =1.167.25 Source cves: CVE-2026-45321 Source advisory: OSV:GHSA-G7CV-RXG3-HMPX...

Malicious code in @tanstack/react-start (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 006982dd9591684fdcea74c0b70c7600a22bfc969bac6b9fb64f728e7ab34d80 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-3468 Malicious code in @tanstack/react-start (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 006982dd9591684fdcea74c0b70c7600a22bfc969bac6b9fb64f728e7ab34d80 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

@tanstack/react-start (=1.167.25) potentially affected by unknown CVE via @tanstack/react-start-rsc (=0.0.5)

@tanstack/react-start-rsc NPM version =0.0.5 is affected by a known vulnerability. The following packages have a transitive dependency on @tanstack/react-start-rsc and may be impacted: - @tanstack/react-start =1.167.25 Source cves: unknown CVE Source advisory: OSV:MAL-2026-3470...

MAL-2026-3470 Malicious code in @tanstack/react-start-rsc (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 54678e0e02befdbc43f928e36fa9a25991d3eb222775849d4225eab0480904f1 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-3469 Malicious code in @tanstack/react-start-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 8358ce998650baf1a9cb6bb602109da81268c43855ad0b16f892687cc89f104d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

@d-trattner/pidex (>=0.1.1 <=0.1.3), birdclaw (>=0.1.0 <=0.6.0) +1 more potentially affected by CVE-2026-45321 via @tanstack/react-start (>=1.167.2 <=1.167.65)

@tanstack/react-start NPM version =1.167.2, =0.1.1, =0.1.0, =0.0.0-dev, =0.23.0 Source cves: CVE-2026-45321 Source advisory: SNYK:JS-TANSTACKREACTSTART-16640215...

@d-trattner/pidex (>=0.1.1 <=0.1.3), @tanstack/react-start (>=1.167.21 <=1.167.65) +1 more potentially affected by CVE-2026-45321 via @tanstack/react-start-rsc (>=0.0.1 <=0.0.5)

@tanstack/react-start-rsc NPM version =0.0.1, =0.1.1, =1.167.21, =0.1.0, =0.6.0 Source cves: CVE-2026-45321 Source advisory: SNYK:JS-TANSTACKREACTSTARTRSC-16640211...

@d-trattner/pidex (>=0.1.1 <=0.1.3), @tanstack/react-start (>=1.121.0-alpha.28 <=1.167.65) +2 more potentially affected by CVE-2026-45321 via @tanstack/react-start-client (>=1.121.0-alpha.28 <=1.166.48)

@tanstack/react-start-client NPM version =1.121.0-alpha.28, =0.1.1, =1.121.0-alpha.28, =0.1.0, =0.0.0-dev, =0.23.0 Source cves: CVE-2026-45321 Source advisory: SNYK:JS-TANSTACKREACTSTARTCLIENT-16640209...

@clerk/agent-toolkit (>=0.3.1-canary.v20260303211310 <=0.3.16-snapshot.v20260416221307), @clerk/astro (>=3.0.1-canary.v20260303211310 <=3.0.19-canary.v20260422163039) +9 more potentially affected by CVE-2026-34076 via @clerk/backend (>=3.0.0 <=3.2.3-snapshot.v20260327200941)

@clerk/backend NPM version =3.0.0, =0.3.1-canary.v20260303211310, =3.0.1-canary.v20260303211310, =2.0.1-canary.v20260303211310, =3.0.1-canary.v20260303211310, =0.0.3-canary.v20260303211310, =7.0.1-canary.v20260303211310, =2.0.1-canary.v20260303211310, =3.0.1-canary.v20260303211310,...

@abysslabs/cli (=0.0.2), @analogjs/vite-plugin-nitro (>=2.4.0-alpha.2 <=3.0.0-alpha.1) +27 more potentially affected by CVE-2026-33490 via h3 (>=2.0.1-rc.11 <=2.0.1-rc.16)

h3 NPM version =2.0.1-rc.11, =2.4.0-alpha.2, =3.23.1-20260131-121433-34f631e, =0.15.0, =1.154.7, =0.0.1, =1.154.7, =1.154.7, =1.154.7, =2.0.0-beta.19 and more Source cves: CVE-2026-33490 Source advisory: SNYK:JS-H3-15745916...