Cyber Resilience

CVE-2026-45772

Low

Published: 15 May 2026

Published
15 May 2026
Modified
19 May 2026
KEV Added
Patch
CVSS Score v4 0.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0039 30.5th percentile
Risk Priority 0 floored blend · peak EPSS

Summary

CVE-2026-45772 is a uncategorised-severity Untrusted Search Path (CWE-426) vulnerability in Vercel Turborepo. Its CVSS base score is 0.0.

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked at the 30.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Turborepo is a high-performance build system for JavaScript and TypeScript codebases. From 1.1.0 to before 2.9.14, Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn configuration. In affected versions, package manager detection…

more

executed yarn --version from the project directory, which could cause Yarn to load and execute a project-controlled yarnPath from .yarnrc.yml. An attacker who controls repository contents could cause code execution when a user or CI system runs affected turbo, @turbo/codemod, or @turbo/workspace conversion commands. This vulnerability is fixed in 2.9.14.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204 User Execution Execution
An adversary may rely upon specific actions by a user in order to gain execution.
Why these techniques?

Arbitrary code execution triggered by running turbo commands against attacker-controlled repo contents (malicious .yarnrc.yml yarnPath) directly enables command/script execution (T1059) via client-side exploitation (T1203) and user execution (T1204).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

vercel
turborepo
1.1.0 — 2.9.14

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References