https://vulnerability.circl.lu/sightings/feedMost recent sightings.2026-05-28T15:52:26.357040+00:00Vulnerability-Lookupinfo@circl.lupython-feedgenContains only the most 10 recent sightings.https://vulnerability.circl.lu/sighting/b854d742-9610-485c-bce3-69ffa4cafe06/exportb854d742-9610-485c-bce3-69ffa4cafe062026-05-28T15:52:26.690451+00:00Automation userhttps://vulnerability.circl.lu/user/automation{"uuid": "b854d742-9610-485c-bce3-69ffa4cafe06", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-45773", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mlvviynmah2o", "content": "CVE-2026-45773 - Turborepo: Login callback CSRF/session fixation\nCVE ID : CVE-2026-45773\n \n Published : May 15, 2026, 3:51 p.m. | 16\u00a0minutes ago\n \n Description : Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14, Turborepo's ...", "creation_timestamp": "2026-05-15T17:51:48.608485Z"}2026-05-15T17:51:48.608485+00:00https://vulnerability.circl.lu/sighting/d9f3ed2c-8d02-4600-a9d4-64cf473798e4/exportd9f3ed2c-8d02-4600-a9d4-64cf473798e42026-05-28T15:52:26.687297+00:00Automation userhttps://vulnerability.circl.lu/user/automation{"uuid": "d9f3ed2c-8d02-4600-a9d4-64cf473798e4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-45773", "type": "seen", "source": "https://gist.github.com/alon710/e381dedd3ac6c2888e1321e911d4bec9", "content": "# CVE-2026-45773: CVE-2026-45773: Cross-Site Request Forgery and Session Fixation in Turborepo CLI\n\n> **CVSS Score:** 6.5\n> **Published:** 2026-05-19\n> **Full Report:** https://cvereports.com/reports/CVE-2026-45773\n\n## Summary\nVercel Turborepo CLI versions prior to 2.9.14 are vulnerable to Cross-Site Request Forgery (CSRF) and Session Fixation during self-hosted remote cache authentication. The local callback server fails to validate the OAuth2 state parameter, allowing malicious websites to inject attacker-controlled tokens and compromise build environments.\n\n## TL;DR\nTurborepo CLI < 2.9.14 lacks state validation in its local authentication callback, enabling attackers to bind a developer's session to an attacker-controlled account via a drive-by request to localhost.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-352, CWE-384\n- **Attack Vector**: Network (Loopback)\n- **CVSS**: 6.5\n- **EPSS**: 0.00023\n- **Exploit Status**: Proof of Concept\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Turborepo CLI (Self-Hosted Remote Cache Configurations)\n- **Turborepo**: < 2.9.14 (Fixed in: `2.9.14`)\n\n## Mitigation\n\n- Upgrade Turborepo CLI to version 2.9.14 or later.\n- Execute 'turbo logout' to clear potentially compromised session tokens.\n- Enforce strict state validation and PKCE on the self-hosted identity provider.\n\n**Remediation Steps:**\n1. Identify installed Turborepo versions using 'turbo --version'.\n2. Run 'npm install -g turbo@latest' or equivalent to update the CLI.\n3. Run 'turbo logout' to invalidate existing configurations.\n4. Re-authenticate using 'turbo login' with the patched binary.\n\n## References\n\n- [Vendor Advisory (GHSA)](https://github.com/vercel/turborepo/security/advisories/GHSA-hcf7-66rw-9f5r)\n- [NVD Record](https://nvd.nist.gov/vuln/detail/CVE-2026-45773)\n- [Sonatype Vulnerability Guide](https://guide.sonatype.com/vulnerabilities)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-45773) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-19T20:10:50.000000Z"}2026-05-19T20:10:50+00:00