What is CVE-2026-45772?

CVE-2026-45772 is a critical-severity vulnerability in @Turbo Codemod, classified under Untrusted Search Path. CVSS score: 9.8/10. Published 2026-05-15.

How severe is CVE-2026-45772?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Vulnerability in @Turbo Codemod

CVE-2026-45772

Turborepo is a high-performance build system for JavaScript and TypeScript codebases. From 1.1.0 to before 2.9.14, Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn confi…

EPSS: 0.001 (26.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

@Turbo Codemod — versions >= 2.3.4, < 2.9.14
@Turbo Workspaces — versions >= 2.3.4, < 2.9.14
Vercel Turborepo — versions >= 1.1.0, < 2.9.14

Weakness classification (CWE)

CWE-426 — Untrusted Search Path

References

security-advisories@github.com (x_refsource_CONFIRM, Vendor Advisory)

Frequently asked questions

What is CVE-2026-45772?: CVE-2026-45772 is a critical-severity vulnerability in @Turbo Codemod, classified under Untrusted Search Path. CVSS score: 9.8/10. Published 2026-05-15.
How severe is CVE-2026-45772?: Critical severity. CVSS v3 base score is 9.8 out of 10.