Skip to main content

Turborepo LSP CVE-2026-46508

| EUVDEUVD-2026-30555 HIGH
Command Injection (CWE-77)
2026-05-15 GitHub_M
8.4
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
Patch available
May 15, 2026 - 17:01 EUVD
Analysis Generated
May 15, 2026 - 16:30 vuln.today
CVSS changed
May 15, 2026 - 16:22 NVD
8.4 (HIGH)

DescriptionGitHub Advisory

Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14000, the Turborepo LSP VS Code extension could execute shell commands derived from workspace-controlled values. The extension used string-based command execution for Turborepo daemon commands and task runs. A malicious workspace could provide crafted values through workspace settings or task names in the repository's source code that were interpolated into shell commands. When the extension activated or when a user ran a task through the extension, those values could be interpreted by the user's shell, allowing arbitrary command execution with the privileges of the local VS Code process. This vulnerability is fixed in 2.9.14000.

AnalysisAI

Command injection in the Turborepo LSP VS Code extension before version 2.9.14000 allows arbitrary code execution when opening malicious workspaces. The vulnerability stems from unsafe string interpolation in shell commands, enabling attackers to inject commands through workspace settings or task names that execute with the user's VS Code process privileges. The CVSS 4.0 score of 8.4 indicates high severity with local access and user interaction required.

Technical ContextAI

The Turborepo LSP (Language Server Protocol) is a VS Code extension for Turborepo, a JavaScript/TypeScript build system. The vulnerability is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command), where user-controlled input from workspace settings or task names in the repository source code is directly interpolated into shell commands without proper sanitization. The extension executes these commands for Turborepo daemon operations and task runs through string-based command execution.

RemediationAI

Vendor-released patch: upgrade the Turborepo LSP VS Code extension to version 2.9.14000 or later. VS Code users can update through the Extensions marketplace or manually install the patched version. As an immediate workaround until patching, avoid opening untrusted repositories or workspaces in VS Code with the Turborepo extension enabled. Consider disabling the extension when working with third-party codebases. There are no known side effects to upgrading beyond standard extension update procedures.

Share

CVE-2026-46508 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy