CVE-2026-42994CRITICAL 9.8EPSS p22.1%

CVE-2026-42994CVE-2026-42994

Description

Bitwarden CLI 2026.4.0 from 2026-04-22T21:57Z to 2026-04-22T23:30Z, when obtained from npm, had embedded malicious code. This is related to a Checkmarx supply chain incident.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.31% probability of exploitation · percentile 22.1% · 2026-06-18T12:00:27Z
Published2026-05-01
Last modified2026-05-04

Underlying weaknesses· 2

CWE-78CWE-94

References

  1. https://community.bitwarden.com/t/bitwarden-statement-on-checkmarx-supply-chain-incident/96127

2

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')cwe-780%live
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-10894
CVE
CVE-2026-43640
CVE
CVE-2026-43639
CVE
CVE-2026-24096
CVE
Nx Console Embedded Malicious Code Vulnerability
CVE
CVE-2025-26817
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.