Vulnerability DatabaseCVE-2026-45772
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-45772
Published:May 15, 2026
Updated:May 18, 2026
Turborepo is a high-performance build system for JavaScript and TypeScript codebases. From 1.1.0 to before 2.9.14, Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn configuration. In affected versions, package manager detection executed yarn --version from the project directory, which could cause Yarn to load and execute a project-controlled yarnPath from .yarnrc.yml. An attacker who controls repository contents could cause code execution when a user or CI system runs affected turbo, @turbo/codemod, or @turbo/workspace conversion commands. This vulnerability is fixed in 2.9.14.
Affected Packages
https://github.com/vercel/turborepo.git (GITHUB):
Affected version(s) >=v1.1.0 <v2.9.14
Fix Suggestion:
Update to version v2.9.14
@turbo/codemod (NPM):
Affected version(s) >=2.3.4 <2.9.14
Fix Suggestion:
Update to version 2.9.14
turbo (NPM):
Affected version(s) >=1.1.0 <2.9.14
Fix Suggestion:
Update to version 2.9.14
@turbo/workspaces (NPM):
Affected version(s) >=2.3.4 <2.9.14
Fix Suggestion:
Update to version 2.9.14
Related Resources (1)
https://github.com/vercel/turborepo/security/advisories/GHSA-3qcw-2rhx-2726
Do you need more information?
Contact Us
Weakness Type (CWE)
Untrusted Search Path
CWE-426
EPSS
Base Score:
0.07