Lucene search
K

5 matches found

RedhatCVE
RedhatCVE
added 2026/06/05 7:47 p.m.11 views

CVE-2026-45772

Turborepo is a high-performance build system for JavaScript and TypeScript codebases. From 1.1.0 to before 2.9.14, Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn configuration. In affected versions, package manager detection...

9.8CVSS6.2AI score0.00386EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/15 3:45 p.m.44 views

CVE-2026-45772 Turborepo: Unexpected local code execution during Yarn Berry detection

Turborepo is a high-performance build system for JavaScript and TypeScript codebases. From 1.1.0 to before 2.9.14, Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn configuration. In affected versions, package manager detection...

0.00386EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/15 12:0 a.m.13 views

PT-2026-41311

Name of the Vulnerable Software and Affected Versions Turborepo versions 1.1.0 through 2.9.13 Description Turborepo is a high-performance build system for JavaScript and TypeScript codebases. A flaw in package manager detection allows arbitrary code execution when the system is run in untrusted...

9.8CVSS6.4AI score0.00386EPSS
Exploits0References5
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/10 12:0 a.m.17 views

Malicious code in dit-envv (npm)

dit-envv is a typosquatting package impersonating dotenv, the widely-used environment variable loader. The package bundles the legitimate dotenv source and documentation to appear functional while hiding a credential-theft payload in index1.js, executed at install time via the postinstall script...

5.8AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/09 12:0 a.m.16 views

Malicious code in haswons (npm)

haswons is a typosquatting package impersonating hasown, the utility for checking whether an object has a direct own property. The package bundles the legitimate hasown source to appear functional while hiding a credential-theft payload in index1.js, executed at install time via the postinstall...

5.8AI score
Exploits0
Rows per page
Query Builder