CVE-2026-45772CRITICAL 9.8EPSS p30.2%

CVE-2026-45772CVE-2026-45772

Description

Turborepo is a high-performance build system for JavaScript and TypeScript codebases. From 1.1.0 to before 2.9.14, Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn configuration. In affected versions, package manager detection executed yarn --version from the project directory, which could cause Yarn to load and execute a project-controlled yarnPath from .yarnrc.yml. An attacker who controls repository contents could cause code execution when a user or CI system runs affected turbo, @turbo/codemod, or @turbo/workspace conversion commands. This vulnerability is fixed in 2.9.14.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.39% probability of exploitation · percentile 30.2% · 2026-06-19T12:03:05Z
Published2026-05-15
Last modified2026-05-19

Underlying weaknesses· 1

CWE-426

References

  1. https://github.com/vercel/turborepo/security/advisories/GHSA-3qcw-2rhx-2726

1

TypeTargetConfidenceTier
WeaknessUntrusted Search Pathcwe-4260%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-49374
CVE
CVE-2025-4674
CVE
CVE-2026-49373
CVE
TanStack Unspecified Vulnerability
CVE
CVE-2025-61592
CVE
CVE-2026-44728
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.