https://vulnerability.circl.lu/sightings/feed 2026-06-04T10:37:41.539143+00:00 Vulnerability-Lookup info@circl.lu python-feedgen Contains only the most 10 recent sightings. https://vulnerability.circl.lu/sighting/e290cbed-b767-4055-8ce5-c53f08a5436b/export 2026-06-04T10:37:41.910107+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "e290cbed-b767-4055-8ce5-c53f08a5436b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-4577", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mhpnhxsubt2e", "content": "", "creation_timestamp": "2026-03-23T08:31:19.298090Z"} 2026-03-23T08:31:19.298090+00:00 https://vulnerability.circl.lu/sighting/b854d742-9610-485c-bce3-69ffa4cafe06/export 2026-06-04T10:37:41.909949+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "b854d742-9610-485c-bce3-69ffa4cafe06", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-45773", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mlvviynmah2o", "content": "CVE-2026-45773 - Turborepo: Login callback CSRF/session fixation\nCVE ID : CVE-2026-45773\n \n Published : May 15, 2026, 3:51 p.m. | 16\u00a0minutes ago\n \n Description : Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14, Turborepo's ...", "creation_timestamp": "2026-05-15T17:51:48.608485Z"} 2026-05-15T17:51:48.608485+00:00 https://vulnerability.circl.lu/sighting/d9f3ed2c-8d02-4600-a9d4-64cf473798e4/export 2026-06-04T10:37:41.909728+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "d9f3ed2c-8d02-4600-a9d4-64cf473798e4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-45773", "type": "seen", "source": "https://gist.github.com/alon710/e381dedd3ac6c2888e1321e911d4bec9", "content": "# CVE-2026-45773: CVE-2026-45773: Cross-Site Request Forgery and Session Fixation in Turborepo CLI\n\n> **CVSS Score:** 6.5\n> **Published:** 2026-05-19\n> **Full Report:** https://cvereports.com/reports/CVE-2026-45773\n\n## Summary\nVercel Turborepo CLI versions prior to 2.9.14 are vulnerable to Cross-Site Request Forgery (CSRF) and Session Fixation during self-hosted remote cache authentication. The local callback server fails to validate the OAuth2 state parameter, allowing malicious websites to inject attacker-controlled tokens and compromise build environments.\n\n## TL;DR\nTurborepo CLI < 2.9.14 lacks state validation in its local authentication callback, enabling attackers to bind a developer's session to an attacker-controlled account via a drive-by request to localhost.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-352, CWE-384\n- **Attack Vector**: Network (Loopback)\n- **CVSS**: 6.5\n- **EPSS**: 0.00023\n- **Exploit Status**: Proof of Concept\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Turborepo CLI (Self-Hosted Remote Cache Configurations)\n- **Turborepo**: < 2.9.14 (Fixed in: `2.9.14`)\n\n## Mitigation\n\n- Upgrade Turborepo CLI to version 2.9.14 or later.\n- Execute 'turbo logout' to clear potentially compromised session tokens.\n- Enforce strict state validation and PKCE on the self-hosted identity provider.\n\n**Remediation Steps:**\n1. Identify installed Turborepo versions using 'turbo --version'.\n2. Run 'npm install -g turbo@latest' or equivalent to update the CLI.\n3. Run 'turbo logout' to invalidate existing configurations.\n4. Re-authenticate using 'turbo login' with the patched binary.\n\n## References\n\n- [Vendor Advisory (GHSA)](https://github.com/vercel/turborepo/security/advisories/GHSA-hcf7-66rw-9f5r)\n- [NVD Record](https://nvd.nist.gov/vuln/detail/CVE-2026-45773)\n- [Sonatype Vulnerability Guide](https://guide.sonatype.com/vulnerabilities)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-45773) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-19T20:10:50.000000Z"} 2026-05-19T20:10:50+00:00 https://vulnerability.circl.lu/sighting/37373446-2e7d-4e41-a673-2700867f6b67/export 2026-06-04T10:37:41.908316+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "37373446-2e7d-4e41-a673-2700867f6b67", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-45770", "type": "seen", "source": "https://bsky.app/profile/o2cloud.bsky.social/post/3mmc3qtiaud2c", "content": "\ud83d\udd17 CVE : CVE-2026-45747, CVE-2026-45751, CVE-2026-45752, CVE-2026-45759, CVE-2026-45761, CVE-2026-45762, CVE-2026-45763, CVE-2026-45764, CVE-2026-45765, CVE-2026-45766, CVE-2026-45767, CVE-2026-45768, CVE-2026-45769, CVE-2026-45770, CVE-2026-46352, CVE-2026-46387", "creation_timestamp": "2026-05-20T14:15:32.936733Z"} 2026-05-20T14:15:32.936733+00:00 https://vulnerability.circl.lu/sighting/f43afd63-7466-4e15-8438-6e7d20291534/export 2026-06-04T10:37:41.906654+00:00 Joseph Lee https://vulnerability.circl.lu/user/syspect {"uuid": "f43afd63-7466-4e15-8438-6e7d20291534", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-45774", "type": "published-proof-of-concept", "source": "https://github.com/oscal-compass/compliance-trestle/security/advisories/GHSA-mj4x-vf5c-5xg8", "content": "", "creation_timestamp": "2026-05-27T11:39:59.000000Z"} 2026-05-27T11:39:59+00:00