Is there a patch available for CVE-2026-45772?

Yes, a patch is available for CVE-2026-45772. Update the affected software to the latest version immediately.

Turborepo CVE-2026-45772

EUVD-2026-30551

Untrusted Search Path (CWE-426)

2026-05-15 GitHub_M

GHSA-3qcw-2rhx-2726

RCE

Lifecycle Timeline

Patch available

May 15, 2026 - 17:01 EUVD

CVE Published

May 15, 2026 - 15:45 nvd

UNKNOWN (no severity yet)

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

1 npm packages depend on @turbo/workspaces (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 2.3.4.

DescriptionNVD

Turborepo is a high-performance build system for JavaScript and TypeScript codebases. From 1.1.0 to before 2.9.14, Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn configuration. In affected versions, package manager detection executed yarn --version from the project directory, which could cause Yarn to load and execute a project-controlled yarnPath from .yarnrc.yml. An attacker who controls repository contents could cause code execution when a user or CI system runs affected turbo, @turbo/codemod, or @turbo/workspace conversion commands. This vulnerability is fixed in 2.9.14.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-45772 vulnerability details – vuln.today

Back