Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: cpufreq: intelpstate: A crash occurred during the disabling of turbo mode. When the system is booted with the kernel command line arguments “nosmt” or “maxcpus” to limit the number of CPUs, disabling turbo mode by executing: echo...

Astra Linux – Vulnerability in libjpeg-turbo

Libjpeg-turbo 1.5.2 has a NULL Pointer Dereference issue in files jdpostct.c and jquant1.c, due to a malicious JPEG file...

Astra Linux – Vulnerability in Chromium

In libjpeg-turbo, a vulnerability existed in versions prior to 94.0.4606.54, allowing a remote attacker to potentially exploit heap corruption through a crafted HTML page...

Astra Linux – Vulnerability in libjpeg-turbo

LibJPEG 9c has a major issue with a large loop, as the readPixel function in rdtarga.c improperly handles EOF situations...

31g-form-parser (=1.0.107), @0xmike/web-kit (>=0.0.6 <=0.1.1) +452 more potentially affected by CVE-2026-34077 via turbo-stream (>=1.2.1 <=2.4.1)

turbo-stream NPM version =1.2.1, =0.0.6, =4.0.0, =4.15.0, =0.0.3, =1.4.0, =0.0.1, =1.2.0, =1.2.0, =0.1.0, =1.0.10, =0.0.2, =1.0.0, =0.0.2, =0.0.13 and more Source cves: CVE-2026-34077 Source advisory: OSV:GHSA-RXV8-25V2-QMQ8...

React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE

When using React Router v7 in Framework Mode, there exists a combination of steps that could potentially allow unauthorized RCE through external requests. This first requires the application code to have an existing prototype pollution vulnerability. This can be leveraged into a 2-step attack in...

GHSA-49RJ-9FVP-4H2H React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE

When using React Router v7 in Framework Mode, there exists a combination of steps that could potentially allow unauthorized RCE through external requests. This first requires the application code to have an existing prototype pollution vulnerability. This can be leveraged into a 2-step attack in...

@0xmike/web-kit (>=0.0.6 <=0.1.1), @abundiko/expo-template (=1.0.0) +317 more potentially affected by CVE-2026-34077 via turbo-stream (=2.4.1)

turbo-stream NPM version =2.4.1 is affected by a known vulnerability. The following packages have a transitive dependency on turbo-stream and may be impacted: - @0xmike/web-kit =0.0.6, =4.0.0, =4.15.0, =1.4.0, =0.0.1, =1.2.0, =1.2.0, =0.1.0, =1.0.10, =1.0.0, =0.0.2, =0.0.1, =1.0.6, =2.1.0 -...

Allocation of Resources Without Limits or Throttling

Overview turbo-stream is an A streaming data transport format that aims to support built-in features such as Promises, Dates, RegExps, Maps, Sets and more. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the serialization algorithm in th...

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the turbo-stream component in in Framework Mode. An attacker can execute arbitrary code on the remote server by sending specially crafted external requests that exploit an existing prototype polluti...

CVE-2026-42211 React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE

React Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, a combination of steps could potentially allow unauthorized remote code execution RCE through external requests. This attack requires the application code to have an existing prototype pollution...

CVE-2026-42211 React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE

React Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, a combination of steps could potentially allow unauthorized remote code execution RCE through external requests. This attack requires the application code to have an existing prototype pollution...

CVE-2026-42211

CVE-2026-42211 affects React Router versions 7.0.0–7.14.1 when used in Framework Mode. A combination of steps could enable a prototype pollution condition that an attacker could leverage in a two-step process to trigger unauthorized remote code execution on the remote server. The issue does not i...

Malicious Package

Overview turbo-axios is a malicious package. This package contains malicious code associated with the Epsilon Stealer malware campaign. While this package attempts to impersonate a legitimate performance-enhanced version of the axios HTTP client, there is no connection between the axios project o...

Malicious code in turbo-axios (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 62503451ade68043379968f3dc4784fdb66424d55422854514e3ba1b10058324 turbo-axios is a typosquat of the popular axios HTTP client it re-exports the full axios API and reuses axios's repository/homepage metadata in...

MAL-2026-4695 Malicious code in turbo-axios (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 62503451ade68043379968f3dc4784fdb66424d55422854514e3ba1b10058324 turbo-axios is a typosquat of the popular axios HTTP client it re-exports the full axios API and reuses axios's repository/homepage metadata in...

Astra Linux - уязвимость в libjpeg-turbo

All versions of Libjpeg-turbo have a stack-based buffer overflow in the “transform” component. A remote attacker can send a malformed JPEG file to the service, causing arbitrary code execution or denial of service for the target service...

GHSA-HCF7-66RW-9F5R Trubo: Login callback CSRF/session fixation

Impact Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was waiting for authentication, a malicious web page could send a request to the local callback server with an attacker-controlled token. If accepted before the...

@142vip/fairy-cli (>=0.0.3-alpha.19 <=0.0.3-alpha.28), @better-builds/turbo-tools (>=6.0.0 <=7.4.4-beta.2) +14 more potentially affected by CVE-2026-45772 via turbo (>=1.3.1 <=2.9.12)

turbo NPM version =1.3.1, =0.0.3-alpha.19, =6.0.0, =0.1.0, =0.1.0, =1.0.0, =3.0.1, =0.0.0-20220725115922, =0.0.234, =0.3.0, =1.5.1, =0.3.2, =0.5.0, =1.1.0, =1.4.1 - incmix-ui-components =0.0.1 and more Source cves: CVE-2026-45772 Source advisory: OSV:GHSA-3QCW-2RHX-2726...

@turbo/gen (>=2.3.4 <=2.8.8-canary.3) potentially affected by CVE-2026-45772 via @turbo/workspaces (>=2.3.4 <=2.8.8-canary.3)

@turbo/workspaces NPM version =2.3.4, =2.3.4, =2.8.8-canary.3 Source cves: CVE-2026-45772 Source advisory: OSV:GHSA-3QCW-2RHX-2726...