{"vulnerability": "cve-2026-4577", "sightings": [{"uuid": "e290cbed-b767-4055-8ce5-c53f08a5436b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-4577", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mhpnhxsubt2e", "content": "", "creation_timestamp": "2026-03-23T08:31:19.298090Z"}, {"uuid": "b854d742-9610-485c-bce3-69ffa4cafe06", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-45773", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mlvviynmah2o", "content": "CVE-2026-45773 - Turborepo: Login callback CSRF/session fixation\nCVE ID : CVE-2026-45773\n \n Published : May 15, 2026, 3:51 p.m. | 16\u00a0minutes ago\n \n Description : Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14, Turborepo's ...", "creation_timestamp": "2026-05-15T17:51:48.608485Z"}, {"uuid": "d9f3ed2c-8d02-4600-a9d4-64cf473798e4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-45773", "type": "seen", "source": "https://gist.github.com/alon710/e381dedd3ac6c2888e1321e911d4bec9", "content": "# CVE-2026-45773: CVE-2026-45773: Cross-Site Request Forgery and Session Fixation in Turborepo CLI\n\n> **CVSS Score:** 6.5\n> **Published:** 2026-05-19\n> **Full Report:** https://cvereports.com/reports/CVE-2026-45773\n\n## Summary\nVercel Turborepo CLI versions prior to 2.9.14 are vulnerable to Cross-Site Request Forgery (CSRF) and Session Fixation during self-hosted remote cache authentication. The local callback server fails to validate the OAuth2 state parameter, allowing malicious websites to inject attacker-controlled tokens and compromise build environments.\n\n## TL;DR\nTurborepo CLI < 2.9.14 lacks state validation in its local authentication callback, enabling attackers to bind a developer's session to an attacker-controlled account via a drive-by request to localhost.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-352, CWE-384\n- **Attack Vector**: Network (Loopback)\n- **CVSS**: 6.5\n- **EPSS**: 0.00023\n- **Exploit Status**: Proof of Concept\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Turborepo CLI (Self-Hosted Remote Cache Configurations)\n- **Turborepo**: < 2.9.14 (Fixed in: `2.9.14`)\n\n## Mitigation\n\n- Upgrade Turborepo CLI to version 2.9.14 or later.\n- Execute 'turbo logout' to clear potentially compromised session tokens.\n- Enforce strict state validation and PKCE on the self-hosted identity provider.\n\n**Remediation Steps:**\n1. Identify installed Turborepo versions using 'turbo --version'.\n2. Run 'npm install -g turbo@latest' or equivalent to update the CLI.\n3. Run 'turbo logout' to invalidate existing configurations.\n4. Re-authenticate using 'turbo login' with the patched binary.\n\n## References\n\n- [Vendor Advisory (GHSA)](https://github.com/vercel/turborepo/security/advisories/GHSA-hcf7-66rw-9f5r)\n- [NVD Record](https://nvd.nist.gov/vuln/detail/CVE-2026-45773)\n- [Sonatype Vulnerability Guide](https://guide.sonatype.com/vulnerabilities)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-45773) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-19T20:10:50.000000Z"}, {"uuid": "37373446-2e7d-4e41-a673-2700867f6b67", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-45770", "type": "seen", "source": "https://bsky.app/profile/o2cloud.bsky.social/post/3mmc3qtiaud2c", "content": "\ud83d\udd17 CVE : CVE-2026-45747, CVE-2026-45751, CVE-2026-45752, CVE-2026-45759, CVE-2026-45761, CVE-2026-45762, CVE-2026-45763, CVE-2026-45764, CVE-2026-45765, CVE-2026-45766, CVE-2026-45767, CVE-2026-45768, CVE-2026-45769, CVE-2026-45770, CVE-2026-46352, CVE-2026-46387", "creation_timestamp": "2026-05-20T14:15:32.936733Z"}, {"uuid": "f43afd63-7466-4e15-8438-6e7d20291534", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-45774", "type": "published-proof-of-concept", "source": "https://github.com/oscal-compass/compliance-trestle/security/advisories/GHSA-mj4x-vf5c-5xg8", "content": "", "creation_timestamp": "2026-05-27T11:39:59.000000Z"}, {"uuid": "786f0e8b-4ff2-4a7f-b433-178c77642f98", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-45778", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mnkzklr64m2g", "content": "CVE-2026-45778 - Open XDMoD Vulnerable to Reflected Cross-Site Scripting (XSS) in Password Reset\nCVE ID : CVE-2026-45778\n \n Published : June 5, 2026, 8:17 p.m. | 15\u00a0minutes ago\n \n Description : OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Prior to v...", "creation_timestamp": "2026-06-05T20:55:23.268741Z"}, {"uuid": "b0ffb085-66b3-499a-9ca8-51bb833971c2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-45777", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mnkzp3hx2y2k", "content": "CVE-2026-45777 - Open XDMoD Vulnerable to Unauthenticated Remote Code Execution (RCE) via OS Command Injection\nCVE ID : CVE-2026-45777\n \n Published : June 5, 2026, 8:17 p.m. | 15\u00a0minutes ago\n \n Description : OpenXDMoD is an open framework for collecting and analyzing HPC metri...", "creation_timestamp": "2026-06-05T20:57:54.385410Z"}, {"uuid": "730da530-e20f-41ca-8c4d-126fd155bfb4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-45776", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mnl27dfxyj2r", "content": "CVE-2026-45776 - Open XDMoD has Broken Access Control via Client-Controlled Session Variable\nCVE ID : CVE-2026-45776\n \n Published : June 5, 2026, 8:17 p.m. | 15\u00a0minutes ago\n \n Description : OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Prior to versi...", "creation_timestamp": "2026-06-05T21:06:59.290012Z"}, {"uuid": "b6df865f-96ca-49e1-97df-a2a956d50e27", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-45779", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mnl37s4oma2i", "content": "CVE-2026-45779 - Open XDMoD Vulnerable to Unauthenticated SQL Injection Leading to Full Database Compromise\nCVE ID : CVE-2026-45779\n \n Published : June 5, 2026, 8:17 p.m. | 15\u00a0minutes ago\n \n Description : OpenXDMoD is an open framework for collecting and analyzing HPC metrics....", "creation_timestamp": "2026-06-05T21:25:09.454922Z"}, {"uuid": "92dc1d62-9cc7-450d-91f6-dc58c3b88642", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-45779", "type": "seen", "source": "https://infosec.exchange/users/offseq/statuses/116701988411720814", "content": "\ud83d\udee1\ufe0f CRITICAL: CVE-2026-45779 in Open XDMoD < 10.0.3 enables unauthenticated SQL injection \u2014 total DB compromise possible! Patch to 10.0.3+ or apply manual fix. No known exploitation yet. Details: https://radar.offseq.com/threat/cve-2026-45779-cwe-89-improper-neutralization-of-s-cff49bf0 #OffSeq #Vuln #SQLi #HPC", "creation_timestamp": "2026-06-06T07:30:25.733281Z"}, {"uuid": "0b26743c-1a1a-4af9-8b63-14609681094e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-45779", "type": "seen", "source": "https://bsky.app/profile/offseq.bsky.social/post/3mnm525wsqi2a", "content": "CRITICAL SQL injection in Open XDMoD < 10.0.3 \ud83d\udea8 No auth needed \u2014 attackers can fully compromise your DB. Upgrade to 10.0.3+ or patch now! More info: https://radar.offseq.com/threat/cve-2026-45779-cwe-89-improper-neutralization-of-s-cff49bf0 #OffSeq #Vulnerability #SQLInjection", "creation_timestamp": "2026-06-06T07:30:27.454534Z"}, {"uuid": "75b6d59b-1c16-430b-bd7f-184bd41af3f4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-45777", "type": "seen", "source": "https://bsky.app/profile/offseq.bsky.social/post/3mnmc35xzgd2f", "content": "CRITICAL OS command injection in Open XDMoD v9.5.0 \u2013 11.0.2 \ud83d\udda5\ufe0f. Remote attackers can execute system commands. Patch to 11.0.3 or apply the fix ASAP! https://radar.offseq.com/threat/cve-2026-45777-cwe-78-improper-neutralization-of-s-3ce0a100 #OffSeq #CVE202645777 #security", "creation_timestamp": "2026-06-06T09:00:30.082474Z"}, {"uuid": "ede35411-f80c-483a-90b5-9b19b7dbecb0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-45777", "type": "seen", "source": "https://infosec.exchange/users/offseq/statuses/116702342468198356", "content": "\ud83d\udea8 CVE-2026-45777: CRITICAL OS command injection in Open XDMoD v9.5.0 \u2013 11.0.2. Remote attackers can run system commands with web server privileges. Patch to 11.0.3 or apply fix now. No known exploitation. https://radar.offseq.com/threat/cve-2026-45777-cwe-78-improper-neutralization-of-s-3ce0a100 #OffSeq #CVE202645777 #infosec", "creation_timestamp": "2026-06-06T09:00:35.474997Z"}, {"uuid": "0fdafb14-238c-45b1-a0e1-522d962c3e7e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-45779", "type": "seen", "source": "https://bsky.app/profile/securitycyberuk.bsky.social/post/3mobwuirvaw23", "content": "\ud83d\udea8  ALERT: CVE-2026-45779\n\nCVSS 9.8/10\n\n\ud83d\udccb WHAT IT IS:\nOpenXDMoD is an open framework for collecting and analyzing HPC metrics. An SQL injection vulnerability exists in Open XDMoD versions prior to 10.0.3 that allows an unauthenticated remote attacker to execute arbitrary SQL statements. Exploitation ", "creation_timestamp": "2026-06-14T23:38:28.319180Z"}, {"uuid": "4363e024-ccc2-4e2c-b365-ae21a0204606", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-45777", "type": "seen", "source": "https://bsky.app/profile/securitycyberuk.bsky.social/post/3mobwuofi732p", "content": "\ud83d\udea8  ALERT: CVE-2026-45777\n\nCVSS 9.8/10\n\n\ud83d\udccb WHAT IT IS:\nOpenXDMoD is an open framework for collecting and analyzing HPC metrics. Starting in version 9.5.0 and prior to version 11.0.3, an attacker can remotely execute arbitrary system commands on the web server hosting Open XDMoD with the privileges of ", "creation_timestamp": "2026-06-14T23:38:34.210641Z"}]}