CVE•Published 2026-05-15•Modified 2026-05-19•1 article on news•5 live references•NVD data

CVE-2026-45772Vercel · Turborepo

Vulnerability data via NVD (ingested)

CVSS v3.1

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS percentile

—

Weaknesses (CWE)

CWE-426Untrusted Search Path

Description

Turborepo is a high-performance build system for JavaScript and TypeScript codebases. From 1.1.0 to before 2.9.14, Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn configuration. In affected versions, package manager detection executed yarn --version from the project directory, which could cause Yarn to load and execute a project-controlled yarnPath from .yarnrc.yml. An attacker who controls repository contents could cause code execution when a user or CI system runs affected turbo, @turbo/codemod, or @turbo/workspace conversion commands. This vulnerability is fixed in 2.9.14.

Timeline

Published 2026-05-15

Modified 2026-05-19

External references

NVD MITRE Exploit-DB Sploitus VulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag0 hosts

vuln:CVE-2026-45772

Hosts Shodan has explicitly fingerprinted as vulnerable.

Shodan · product

product:"Vercel Turborepo"

All exposed Vercel Turborepo instances — cross-reference with the CVE's affected-version range.

Shodan · banner/body mention

http.html:"Turborepo"

HTTP body or banner mentions "Turborepo" — catches deploys Shodan didn't identify as a product.

More intel sources (5)

Shodan report

vuln:CVE-2026-45772