GHSA-49RJ-9FVP-4H2H React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE

When using React Router v7 in Framework Mode, there exists a combination of steps that could potentially allow unauthorized RCE through external requests. This first requires the application code to have an existing prototype pollution vulnerability. This can be leveraged into a 2-step attack in...

React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE

When using React Router v7 in Framework Mode, there exists a combination of steps that could potentially allow unauthorized RCE through external requests. This first requires the application code to have an existing prototype pollution vulnerability. This can be leveraged into a 2-step attack in...

CVE-2026-42211 React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE

React Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, a combination of steps could potentially allow unauthorized remote code execution RCE through external requests. This attack requires the application code to have an existing prototype pollution...

CVE-2026-42211 React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE

React Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, a combination of steps could potentially allow unauthorized remote code execution RCE through external requests. This attack requires the application code to have an existing prototype pollution...

CVE-2026-42211

CVE-2026-42211 affects React Router versions 7.0.0–7.14.1 when used in Framework Mode. A combination of steps could enable a prototype pollution condition that an attacker could leverage in a two-step process to trigger unauthorized remote code execution on the remote server. The issue does not i...

Malicious code in turbo-axios (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 62503451ade68043379968f3dc4784fdb66424d55422854514e3ba1b10058324 turbo-axios is a typosquat of the popular axios HTTP client it re-exports the full axios API and reuses axios's repository/homepage metadata in...

MAL-2026-4695 Malicious code in turbo-axios (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 62503451ade68043379968f3dc4784fdb66424d55422854514e3ba1b10058324 turbo-axios is a typosquat of the popular axios HTTP client it re-exports the full axios API and reuses axios's repository/homepage metadata in...

Astra Linux - уязвимость в libjpeg-turbo

Libjpeg-turbo 1.5.2 has a NULL Pointer Dereference issue in files jdpostct.c and jquant1.c, due to a malicious JPEG file...

Astra Linux - уязвимость в chromium

In libjpeg-turbo, a vulnerability existed in versions prior to 94.0.4606.54, allowing a remote attacker to potentially exploit heap corruption through a crafted HTML page...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: cpufreq: intelpstate: A crash occurred during the disabling of turbo mode. When the system is booted with the kernel command line arguments “nosmt” or “maxcpus” to limit the number of CPUs, disabling turbo mode by executing: echo...

Astra Linux - уязвимость в libjpeg-turbo

LibJPEG 9c has a major issue with a large loop, as the readPixel function in rdtarga.c improperly handles EOF situations...

GHSA-HCF7-66RW-9F5R Trubo: Login callback CSRF/session fixation

Impact Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was waiting for authentication, a malicious web page could send a request to the local callback server with an attacker-controlled token. If accepted before the...

Untrusted Search Path

Overview @turbo/codemod is a Provides Codemod transformations to help upgrade your Turborepo codebase when a feature is deprecated. Affected versions of this package are vulnerable to Untrusted Search Path in the package manager detection. An attacker can execute arbitrary code by placing a...

NPM: Turbo: Unexpected local code execution during Yarn Berry detection

NPM: Turbo: Unexpected local code execution during Yarn Berry detection vulnerability discovered by ? in WordPress Npm turbo versions = 1.1.0, 2.9.14...

Untrusted Search Path

Overview @turbo/workspaces is a Tools for working with package managers Affected versions of this package are vulnerable to Untrusted Search Path in the package manager detection. An attacker can execute arbitrary code by placing a malicious .yarnrc.yml file with a controlled yarnPath in a...

Astra Linux - уязвимость в libjpeg-turbo

All versions of Libjpeg-turbo have a stack-based buffer overflow in the “transform” component. A remote attacker can send a malformed JPEG file to the service, causing arbitrary code execution or denial of service for the target service...

Astra Linux - уязвимость в libjpeg-turbo

A crafted input file could cause a null pointer dereference in jcopysamplerows when processed by libjpeg-turbo...

MAL-2026-2944 Malicious code in turbo-leven (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c0903aeeee8de9f8d0b7bae616fb57ef1468d676ff1f319791b54a4c658211b4 The package turbo-leven was found to contain malicious code. Source: ghsa-malware 6a89f53d914eeb23f58756ee338b08701d799e346d6901d2f374bb51e736b2ef An...

Malicious code in turbo-he (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1da17bf1f37303e3d91056c1ce674462279861bc896e413f1d262548ff6b3647 The package turbo-he was found to contain malicious code. Source: ghsa-malware 6bd9985ec0cf97c08347814d88b84c1c12cd8f22507a76e2a78cacb06c6840a6 Any...

Malicious Package

Overview turbo-he is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...