cbcvebase.

Vercel Turborepo vulnerabilities

3 known vulnerabilities affecting vercel/turborepo.

Total CVEs
3
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH1MEDIUM1

Vulnerabilities

Page 1 of 1
CVE-2026-45772P2CRITICALCVSS 9.8≥ 1.1.0, < 2.9.14v>= 1.1.0, < 2.9.142026-05-15
CVE-2026-45772 [CRITICAL] CWE-426 CVE-2026-45772: Turborepo is a high-performance build system for JavaScript and TypeScript codebases. From 1.1.0 to Turborepo is a high-performance build system for JavaScript and TypeScript codebases. From 1.1.0 to before 2.9.14, Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn configuration. In affected versions, package manager detection executed yarn --version from the project directory, w
nvd
CVE-2026-46508P3HIGHCVSS 7.8fixed in 2.9.140002026-05-15
CVE-2026-46508 [HIGH] CWE-77 CVE-2026-46508: Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.1 Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14000, the Turborepo LSP VS Code extension could execute shell commands derived from workspace-controlled values. The extension used string-based command execution for Turborepo daemon commands and task runs. A malicious workspace could provide crafted va
nvd
CVE-2026-45773P3MEDIUMCVSS 6.5fixed in 2.9.142026-05-15
CVE-2026-45773 [MEDIUM] CWE-352 CVE-2026-45773: Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.1 Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14, Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was waiting for authentication, a malicious web page could send a request to the local callback server with an attacker
nvd
Vercel Turborepo vulnerabilities | cvebase