CVE-2026-46508 – Turborepo: VSCode Extension command injection

CVE ID :CVE-2026-46508

Published : May 15, 2026, 4:16 p.m. | 42 minutes ago

Description :Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14000, the Turborepo LSP VS Code extension could execute shell commands derived from workspace-controlled values. The extension used string-based command execution for Turborepo daemon commands and task runs. A malicious workspace could provide crafted values through workspace settings or task names in the repository’s source code that were interpolated into shell commands. When the extension activated or when a user ran a task through the extension, those values could be interpreted by the user’s shell, allowing arbitrary command execution with the privileges of the local VS Code process. This vulnerability is fixed in 2.9.14000.

Severity: 8.4 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-44774 – Traefik: Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false

CVE-2026-41181 – Traefik: Errors middleware forwards Authorization and Cookie headers to separate error page service

CVE-2026-44309 – gitsign verify accepts signatures over go-git-normalized bytes, enabling trust confusion on malformed commits

CVE-2026-44310 – gitsign –verify panics on empty-certificate PKCS7 and exits 0, bypassing exit-code callers