All intelligence
// vulnerability record
cached · NVD via COSMOS syncCVE-2026-45321
CRITICALKEVpublished 2026-05-12 01:16 UTC · 1 month ago · modified 2026-05-29 19:41 UTC
9.6
CVSS / 10
// description
TanStack contains an unspecified vulnerability that allowed malicious versions of the product to be published to the npm registry to publish credential-stealing malware under a trusted identity.
// cvss 3.1 vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
// required action (CISA KEV)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
added 2026-05-27 00:00 UTC
// weaknesses (CWE)
- CWE-506
// references (5)
- https://github.com/TanStack/router/issues/7383
- https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx
- https://tanstack.com/blog/npm-supply-chain-compromise-postmortem
- https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-45321