Malware in 42 @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys
Summary
| CVE | CVE-2026-45321 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-12 01:16:46 UTC |
| Updated | 2026-05-29 19:41:37 UTC |
| Description | On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart. |
Risk And Classification
Primary CVSS: v3.1 9.6 CRITICAL from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS: 0.170510000 probability, percentile 0.951050000 (date 2026-06-01)
CISA KEV: Listed on 2026-05-27; due 2026-06-10; ransomware use Known
Problem Types: CWE-506 | CWE-506 CWE-506: Embedded Malicious Code
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 9.6 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
| 3.1 | CNA | DECLARED | 9.6 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
RequiredScope
ChangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CISA Known Exploited Vulnerability
| Vendor | TanStack |
|---|---|
| Product | TanStack |
| Name | TanStack Unspecified Vulnerability |
| Required Action | Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. |
| Notes | This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx ; https://nvd.nist.gov/vuln/detail/CVE-2026-45321 |
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Abhishake1 | Supersurkhet/cli | 0.0.2 | All | All | All |
| Application | Abhishake1 | Supersurkhet/cli | 0.0.3 | All | All | All |
| Application | Abhishake1 | Supersurkhet/cli | 0.0.4 | All | All | All |
| Application | Abhishake1 | Supersurkhet/cli | 0.0.5 | All | All | All |
| Application | Abhishake1 | Supersurkhet/cli | 0.0.6 | All | All | All |
| Application | Abhishake1 | Supersurkhet/cli | 0.0.7 | All | All | All |
| Application | Abhishake1 | Supersurkhet/sdk | 0.0.2 | All | All | All |
| Application | Abhishake1 | Supersurkhet/sdk | 0.0.3 | All | All | All |
| Application | Abhishake1 | Supersurkhet/sdk | 0.0.4 | All | All | All |
| Application | Abhishake1 | Supersurkhet/sdk | 0.0.5 | All | All | All |
| Application | Abhishake1 | Supersurkhet/sdk | 0.0.6 | All | All | All |
| Application | Abhishake1 | Supersurkhet/sdk | 0.0.7 | All | All | All |
| Application | Abhishake1 | Taskflow-corp/cli | 0.1.24 | All | All | All |
| Application | Abhishake1 | Taskflow-corp/cli | 0.1.25 | All | All | All |
| Application | Abhishake1 | Taskflow-corp/cli | 0.1.26 | All | All | All |
| Application | Abhishake1 | Taskflow-corp/cli | 0.1.27 | All | All | All |
| Application | Abhishake1 | Taskflow-corp/cli | 0.1.28 | All | All | All |
| Application | Abhishake1 | Taskflow-corp/cli | 0.1.29 | All | All | All |
| Application | Agentworkhq | Agentwork-cli | 0.1.4 | All | All | All |
| Application | Agentworkhq | Agentwork-cli | 0.1.5 | All | All | All |
| Application | Antoinebcx | Ml-toolkit-ts | 1.0.4 | All | All | All |
| Application | Antoinebcx | Ml-toolkit-ts | 1.0.5 | All | All | All |
| Application | Antoinebcx | Ml-toolkit-ts/preprocessing | 1.0.2 | All | All | All |
| Application | Antoinebcx | Ml-toolkit-ts/preprocessing | 1.0.3 | All | All | All |
| Application | Antoinebcx | Ml-toolkit-ts/xgboost | 1.0.3 | All | All | All |
| Application | Antoinebcx | Ml-toolkit-ts/xgboost | 1.0.4 | All | All | All |
| Application | Beproduct | Beproduct/nestjs-auth | 0.1.10 | All | All | All |
| Application | Beproduct | Beproduct/nestjs-auth | 0.1.11 | All | All | All |
| Application | Beproduct | Beproduct/nestjs-auth | 0.1.12 | All | All | All |
| Application | Beproduct | Beproduct/nestjs-auth | 0.1.13 | All | All | All |
| Application | Beproduct | Beproduct/nestjs-auth | 0.1.14 | All | All | All |
| Application | Beproduct | Beproduct/nestjs-auth | 0.1.15 | All | All | All |
| Application | Beproduct | Beproduct/nestjs-auth | 0.1.16 | All | All | All |
| Application | Beproduct | Beproduct/nestjs-auth | 0.1.17 | All | All | All |
| Application | Beproduct | Beproduct/nestjs-auth | 0.1.19 | All | All | All |
| Application | Beproduct | Beproduct/nestjs-auth | 0.1.2 | All | All | All |
| Application | Beproduct | Beproduct/nestjs-auth | 0.1.3 | All | All | All |
| Application | Beproduct | Beproduct/nestjs-auth | 0.1.4 | All | All | All |
| Application | Beproduct | Beproduct/nestjs-auth | 0.1.5 | All | All | All |
| Application | Beproduct | Beproduct/nestjs-auth | 0.1.6 | All | All | All |
| Application | Beproduct | Beproduct/nestjs-auth | 0.1.7 | All | All | All |
| Application | Beproduct | Beproduct/nestjs-auth | 0.1.8 | All | All | All |
| Application | Beproduct | Beproduct/nestjs-auth | 0.1.9 | All | All | All |
| Application | Christianalares | Git-git-git | 1.0.10 | All | All | All |
| Application | Christianalares | Git-git-git | 1.0.12 | All | All | All |
| Application | Christianalares | Git-git-git | 1.0.8 | All | All | All |
| Application | Christianalares | Git-git-git | 1.0.9 | All | All | All |
| Application | Christianalares | Git Branch Selector | 1.3.3 | All | All | All |
| Application | Christianalares | Git Branch Selector | 1.3.4 | All | All | All |
| Application | Christianalares | Git Branch Selector | 1.3.5 | All | All | All |
| Application | Christianalares | Git Branch Selector | 1.3.7 | All | All | All |
| Application | Christianalares | Nextmove-mcp | 0.1.3 | All | All | All |
| Application | Christianalares | Nextmove-mcp | 0.1.4 | All | All | All |
| Application | Christianalares | Nextmove-mcp | 0.1.5 | All | All | All |
| Application | Christianalares | Nextmove-mcp | 0.1.7 | All | All | All |
| Application | Christianalares | Tolka/cli | 1.0.2 | All | All | All |
| Application | Christianalares | Tolka/cli | 1.0.3 | All | All | All |
| Application | Christianalares | Tolka/cli | 1.0.4 | All | All | All |
| Application | Christianalares | Tolka/cli | 1.0.6 | All | All | All |
| Application | Dirigible | Dirigible-ai/sdk | 0.6.2 | All | All | All |
| Application | Dirigible | Dirigible-ai/sdk | 0.6.3 | All | All | All |
| Application | Guardrailsai | Guardrails Ai | 0.10.1 | All | All | All |
| Application | Kilbot | Tallyui/components | 1.0.1 | All | All | All |
| Application | Kilbot | Tallyui/components | 1.0.2 | All | All | All |
| Application | Kilbot | Tallyui/components | 1.0.3 | All | All | All |
| Application | Kilbot | Tallyui/connector-medusa | 1.0.1 | All | All | All |
| Application | Kilbot | Tallyui/connector-medusa | 1.0.2 | All | All | All |
| Application | Kilbot | Tallyui/connector-medusa | 1.0.3 | All | All | All |
| Application | Kilbot | Tallyui/connector-shopify | 1.0.1 | All | All | All |
| Application | Kilbot | Tallyui/connector-shopify | 1.0.2 | All | All | All |
| Application | Kilbot | Tallyui/connector-shopify | 1.0.3 | All | All | All |
| Application | Kilbot | Tallyui/connector-vendure | 1.0.1 | All | All | All |
| Application | Kilbot | Tallyui/connector-vendure | 1.0.2 | All | All | All |
| Application | Kilbot | Tallyui/connector-vendure | 1.0.3 | All | All | All |
| Application | Kilbot | Tallyui/connector-woocommerce | 1.0.1 | All | All | All |
| Application | Kilbot | Tallyui/connector-woocommerce | 1.0.2 | All | All | All |
| Application | Kilbot | Tallyui/connector-woocommerce | 1.0.3 | All | All | All |
| Application | Kilbot | Tallyui/core | 0.2.1 | All | All | All |
| Application | Kilbot | Tallyui/core | 0.2.2 | All | All | All |
| Application | Kilbot | Tallyui/core | 0.2.3 | All | All | All |
| Application | Kilbot | Tallyui/database | 1.0.1 | All | All | All |
| Application | Kilbot | Tallyui/database | 1.0.2 | All | All | All |
| Application | Kilbot | Tallyui/database | 1.0.3 | All | All | All |
| Application | Kilbot | Tallyui/pos | 0.1.1 | All | All | All |
| Application | Kilbot | Tallyui/pos | 0.1.2 | All | All | All |
| Application | Kilbot | Tallyui/pos | 0.1.3 | All | All | All |
| Application | Kilbot | Tallyui/storage-sqlite | 0.2.1 | All | All | All |
| Application | Kilbot | Tallyui/storage-sqlite | 0.2.2 | All | All | All |
| Application | Kilbot | Tallyui/storage-sqlite | 0.2.3 | All | All | All |
| Application | Kilbot | Tallyui/theme | 0.2.1 | All | All | All |
| Application | Kilbot | Tallyui/theme | 0.2.2 | All | All | All |
| Application | Kilbot | Tallyui/theme | 0.2.3 | All | All | All |
| Application | Linuxfoundation | Opensearch | 3.6.2 | All | All | All |
| Application | Matheuspergoli | Draftauth/client | 0.2.1 | All | All | All |
| Application | Matheuspergoli | Draftauth/client | 0.2.2 | All | All | All |
| Application | Matheuspergoli | Draftauth/core | 0.13.1 | All | All | All |
| Application | Matheuspergoli | Draftauth/core | 0.13.2 | All | All | All |
| Application | Matheuspergoli | Draftlab/auth | 0.24.1 | All | All | All |
| Application | Matheuspergoli | Draftlab/auth | 0.24.2 | All | All | All |
| Application | Matheuspergoli | Draftlab/auth-router | 0.5.1 | All | All | All |
| Application | Matheuspergoli | Draftlab/auth-router | 0.5.2 | All | All | All |
| Application | Matheuspergoli | Draftlab/db | 0.16.1 | All | All | All |
| Application | Matheuspergoli | Draftlab/db | 0.16.2 | All | All | All |
| Application | Matheuspergoli | Simple Type-safe Actions | 0.8.3 | All | All | All |
| Application | Matheuspergoli | Simple Type-safe Actions | 0.8.4 | All | All | All |
| Application | Mesa | Mesadev/rest | 0.28.3 | All | All | All |
| Application | Mesa | Mesadev/saguaro | 0.4.22 | All | All | All |
| Application | Mesa | Mesadev/sdk | 0.28.3 | All | All | All |
| Application | Mistral | Mistralai | 2.4.6 | All | All | All |
| Application | Mistral | Mistralai/mistralai | 2.2.3 | All | All | All |
| Application | Mistral | Mistralai/mistralai | 2.2.4 | All | All | All |
| Application | Mistral | Mistralai/mistralai-azure | 1.7.2 | All | All | All |
| Application | Mistral | Mistralai/mistralai-azure | 1.7.3 | All | All | All |
| Application | Mistral | Mistralai/mistralai-gcp | 1.7.2 | All | All | All |
| Application | Mistral | Mistralai/mistralai-gcp | 1.7.3 | All | All | All |
| Application | Multiagentcognition | Cmux-agent-mcp | 0.1.3 | All | All | All |
| Application | Multiagentcognition | Cmux-agent-mcp | 0.1.4 | All | All | All |
| Application | Multiagentcognition | Cmux-agent-mcp | 0.1.5 | All | All | All |
| Application | Multiagentcognition | Cmux-agent-mcp | 0.1.6 | All | All | All |
| Application | Multiagentcognition | Cmux-agent-mcp | 0.1.7 | All | All | All |
| Application | Multiagentcognition | Cmux-agent-mcp | 0.1.8 | All | All | All |
| Application | Neilcochran | Cross-stitch | 1.1.3 | All | All | All |
| Application | Neilcochran | Cross-stitch | 1.1.4 | All | All | All |
| Application | Neilcochran | Cross-stitch | 1.1.6 | All | All | All |
| Application | Neilcochran | Squawk/airports | 0.6.2 | All | All | All |
| Application | Neilcochran | Squawk/airports | 0.6.3 | All | All | All |
| Application | Neilcochran | Squawk/airports | 0.6.5 | All | All | All |
| Application | Neilcochran | Squawk/airspace | 0.8.1 | All | All | All |
| Application | Neilcochran | Squawk/airspace | 0.8.2 | All | All | All |
| Application | Neilcochran | Squawk/airspace | 0.8.4 | All | All | All |
| Application | Neilcochran | Squawk/airspace-data | 0.5.3 | All | All | All |
| Application | Neilcochran | Squawk/airspace-data | 0.5.4 | All | All | All |
| Application | Neilcochran | Squawk/airspace-data | 0.5.6 | All | All | All |
| Application | Neilcochran | Squawk/airway-data | 0.5.4 | All | All | All |
| Application | Neilcochran | Squawk/airway-data | 0.5.5 | All | All | All |
| Application | Neilcochran | Squawk/airway-data | 0.5.7 | All | All | All |
| Application | Neilcochran | Squawk/airways | 0.4.2 | All | All | All |
| Application | Neilcochran | Squawk/airways | 0.4.3 | All | All | All |
| Application | Neilcochran | Squawk/airways | 0.4.5 | All | All | All |
| Application | Neilcochran | Squawk/fix-data | 0.6.4 | All | All | All |
| Application | Neilcochran | Squawk/fix-data | 0.6.5 | All | All | All |
| Application | Neilcochran | Squawk/fix-data | 0.6.7 | All | All | All |
| Application | Neilcochran | Squawk/fixes | 0.3.2 | All | All | All |
| Application | Neilcochran | Squawk/fixes | 0.3.3 | All | All | All |
| Application | Neilcochran | Squawk/fixes | 0.3.5 | All | All | All |
| Application | Neilcochran | Squawk/flight-math | 0.5.4 | All | All | All |
| Application | Neilcochran | Squawk/flight-math | 0.5.5 | All | All | All |
| Application | Neilcochran | Squawk/flight-math | 0.5.7 | All | All | All |
| Application | Neilcochran | Squawk/flightplan | 0.5.2 | All | All | All |
| Application | Neilcochran | Squawk/flightplan | 0.5.3 | All | All | All |
| Application | Neilcochran | Squawk/flightplan | 0.5.5 | All | All | All |
| Application | Neilcochran | Squawk/geo | 0.4.4 | All | All | All |
| Application | Neilcochran | Squawk/geo | 0.4.5 | All | All | All |
| Application | Neilcochran | Squawk/geo | 0.4.7 | All | All | All |
| Application | Neilcochran | Squawk/icao-registry | 0.5.2 | All | All | All |
| Application | Neilcochran | Squawk/icao-registry | 0.5.3 | All | All | All |
| Application | Neilcochran | Squawk/icao-registry | 0.5.5 | All | All | All |
| Application | Neilcochran | Squawk/icao-registry-data | 0.8.4 | All | All | All |
| Application | Neilcochran | Squawk/icao-registry-data | 0.8.5 | All | All | All |
| Application | Neilcochran | Squawk/icao-registry-data | 0.8.7 | All | All | All |
| Application | Neilcochran | Squawk/mcp | 0.9.1 | All | All | All |
| Application | Neilcochran | Squawk/mcp | 0.9.2 | All | All | All |
| Application | Neilcochran | Squawk/mcp | 0.9.4 | All | All | All |
| Application | Neilcochran | Squawk/navaid-data | 0.6.4 | All | All | All |
| Application | Neilcochran | Squawk/navaid-data | 0.6.5 | All | All | All |
| Application | Neilcochran | Squawk/navaid-data | 0.6.7 | All | All | All |
| Application | Neilcochran | Squawk/navaids | 0.4.2 | All | All | All |
| Application | Neilcochran | Squawk/navaids | 0.4.3 | All | All | All |
| Application | Neilcochran | Squawk/navaids | 0.4.5 | All | All | All |
| Application | Neilcochran | Squawk/notams | 0.3.6 | All | All | All |
| Application | Neilcochran | Squawk/notams | 0.3.7 | All | All | All |
| Application | Neilcochran | Squawk/notams | 0.3.9 | All | All | All |
| Application | Neilcochran | Squawk/procedure-data | 0.7.3 | All | All | All |
| Application | Neilcochran | Squawk/procedure-data | 0.7.4 | All | All | All |
| Application | Neilcochran | Squawk/procedure-data | 0.7.6 | All | All | All |
| Application | Neilcochran | Squawk/procedures | 0.5.2 | All | All | All |
| Application | Neilcochran | Squawk/procedures | 0.5.3 | All | All | All |
| Application | Neilcochran | Squawk/procedures | 0.5.5 | All | All | All |
| Application | Neilcochran | Squawk/types | 0.8.1 | All | All | All |
| Application | Neilcochran | Squawk/types | 0.8.2 | All | All | All |
| Application | Neilcochran | Squawk/types | 0.8.4 | All | All | All |
| Application | Neilcochran | Squawk/units | 0.4.3 | All | All | All |
| Application | Neilcochran | Squawk/units | 0.4.4 | All | All | All |
| Application | Neilcochran | Squawk/units | 0.4.6 | All | All | All |
| Application | Neilcochran | Squawk/weather | 0.5.6 | All | All | All |
| Application | Neilcochran | Squawk/weather | 0.5.7 | All | All | All |
| Application | Neilcochran | Squawk/weather | 0.5.9 | All | All | All |
| Application | Neilcochran | Ts-dna | 3.0.1 | All | All | All |
| Application | Neilcochran | Ts-dna | 3.0.2 | All | All | All |
| Application | Neilcochran | Ts-dna | 3.0.4 | All | All | All |
| Application | Neilcochran | Wot-api | 0.8.1 | All | All | All |
| Application | Neilcochran | Wot-api | 0.8.2 | All | All | All |
| Application | Neilcochran | Wot-api | 0.8.4 | All | All | All |
| Application | Tanstack | Tanstack/arktype-adapter | 1.166.12 | All | All | All |
| Application | Tanstack | Tanstack/arktype-adapter | 1.166.15 | All | All | All |
| Application | Tanstack | Tanstack/eslint-plugin-router | 1.161.12 | All | All | All |
| Application | Tanstack | Tanstack/eslint-plugin-router | 1.161.9 | All | All | All |
| Application | Tanstack | Tanstack/eslint-plugin-start | 0.0.4 | All | All | All |
| Application | Tanstack | Tanstack/eslint-plugin-start | 0.0.7 | All | All | All |
| Application | Tanstack | Tanstack/history | 1.161.12 | All | All | All |
| Application | Tanstack | Tanstack/history | 1.161.9 | All | All | All |
| Application | Tanstack | Tanstack/nitro-v2-vite-plugin | 1.154.12 | All | All | All |
| Application | Tanstack | Tanstack/nitro-v2-vite-plugin | 1.154.15 | All | All | All |
| Application | Tanstack | Tanstack/react-router | 1.169.5 | All | All | All |
| Application | Tanstack | Tanstack/react-router | 1.169.8 | All | All | All |
| Application | Tanstack | Tanstack/react-router-devtools | 1.166.16 | All | All | All |
| Application | Tanstack | Tanstack/react-router-devtools | 1.166.19 | All | All | All |
| Application | Tanstack | Tanstack/react-router-ssr-query | 1.166.15 | All | All | All |
| Application | Tanstack | Tanstack/react-router-ssr-query | 1.166.18 | All | All | All |
| Application | Tanstack | Tanstack/react-start | 1.167.68 | All | All | All |
| Application | Tanstack | Tanstack/react-start | 1.167.71 | All | All | All |
| Application | Tanstack | Tanstack/react-start-client | 1.166.51 | All | All | All |
| Application | Tanstack | Tanstack/react-start-client | 1.166.54 | All | All | All |
| Application | Tanstack | Tanstack/react-start-rsc | 0.0.47 | All | All | All |
| Application | Tanstack | Tanstack/react-start-rsc | 0.0.50 | All | All | All |
| Application | Tanstack | Tanstack/react-start-server | 1.166.55 | All | All | All |
| Application | Tanstack | Tanstack/react-start-server | 1.166.58 | All | All | All |
| Application | Tanstack | Tanstack/router-cli | 1.166.46 | All | All | All |
| Application | Tanstack | Tanstack/router-cli | 1.166.49 | All | All | All |
| Application | Tanstack | Tanstack/router-core | 1.169.5 | All | All | All |
| Application | Tanstack | Tanstack/router-core | 1.169.8 | All | All | All |
| Application | Tanstack | Tanstack/router-devtools | 1.166.16 | All | All | All |
| Application | Tanstack | Tanstack/router-devtools | 1.166.19 | All | All | All |
| Application | Tanstack | Tanstack/router-devtools-core | 1.167.6 | All | All | All |
| Application | Tanstack | Tanstack/router-devtools-core | 1.167.9 | All | All | All |
| Application | Tanstack | Tanstack/router-generator | 1.166.45 | All | All | All |
| Application | Tanstack | Tanstack/router-generator | 1.166.48 | All | All | All |
| Application | Tanstack | Tanstack/router-plugin | 1.167.38 | All | All | All |
| Application | Tanstack | Tanstack/router-plugin | 1.167.41 | All | All | All |
| Application | Tanstack | Tanstack/router-ssr-query-core | 1.168.3 | All | All | All |
| Application | Tanstack | Tanstack/router-ssr-query-core | 1.168.6 | All | All | All |
| Application | Tanstack | Tanstack/router-utils | 1.161.11 | All | All | All |
| Application | Tanstack | Tanstack/router-utils | 1.161.14 | All | All | All |
| Application | Tanstack | Tanstack/router-vite-plugin | 1.166.53 | All | All | All |
| Application | Tanstack | Tanstack/router-vite-plugin | 1.166.56 | All | All | All |
| Application | Tanstack | Tanstack/solid-router | 1.169.5 | All | All | All |
| Application | Tanstack | Tanstack/solid-router | 1.169.8 | All | All | All |
| Application | Tanstack | Tanstack/solid-router-devtools | 1.166.16 | All | All | All |
| Application | Tanstack | Tanstack/solid-router-devtools | 1.166.19 | All | All | All |
| Application | Tanstack | Tanstack/solid-router-ssr-query | 1.166.15 | All | All | All |
| Application | Tanstack | Tanstack/solid-router-ssr-query | 1.166.18 | All | All | All |
| Application | Tanstack | Tanstack/solid-start | 1.167.65 | All | All | All |
| Application | Tanstack | Tanstack/solid-start | 1.167.68 | All | All | All |
| Application | Tanstack | Tanstack/solid-start-client | 1.166.50 | All | All | All |
| Application | Tanstack | Tanstack/solid-start-client | 1.166.53 | All | All | All |
| Application | Tanstack | Tanstack/solid-start-server | 1.166.54 | All | All | All |
| Application | Tanstack | Tanstack/solid-start-server | 1.166.57 | All | All | All |
| Application | Tanstack | Tanstack/start-client-core | 1.168.5 | All | All | All |
| Application | Tanstack | Tanstack/start-client-core | 1.168.8 | All | All | All |
| Application | Tanstack | Tanstack/start-fn-stubs | 1.161.12 | All | All | All |
| Application | Tanstack | Tanstack/start-fn-stubs | 1.161.9 | All | All | All |
| Application | Tanstack | Tanstack/start-plugin-core | 1.169.23 | All | All | All |
| Application | Tanstack | Tanstack/start-plugin-core | 1.169.26 | All | All | All |
| Application | Tanstack | Tanstack/start-server-core | 1.167.33 | All | All | All |
| Application | Tanstack | Tanstack/start-server-core | 1.167.36 | All | All | All |
| Application | Tanstack | Tanstack/start-static-server-functions | 1.166.44 | All | All | All |
| Application | Tanstack | Tanstack/start-static-server-functions | 1.166.47 | All | All | All |
| Application | Tanstack | Tanstack/start-storage-context | 1.166.38 | All | All | All |
| Application | Tanstack | Tanstack/start-storage-context | 1.166.41 | All | All | All |
| Application | Tanstack | Tanstack/valibot-adapter | 1.166.12 | All | All | All |
| Application | Tanstack | Tanstack/valibot-adapter | 1.166.15 | All | All | All |
| Application | Tanstack | Tanstack/virtual-file-routes | 1.161.10 | All | All | All |
| Application | Tanstack | Tanstack/virtual-file-routes | 1.161.13 | All | All | All |
| Application | Tanstack | Tanstack/vue-router | 1.169.5 | All | All | All |
| Application | Tanstack | Tanstack/vue-router | 1.169.8 | All | All | All |
| Application | Tanstack | Tanstack/vue-router-devtools | 1.166.16 | All | All | All |
| Application | Tanstack | Tanstack/vue-router-devtools | 1.166.19 | All | All | All |
| Application | Tanstack | Tanstack/vue-router-ssr-query | 1.166.15 | All | All | All |
| Application | Tanstack | Tanstack/vue-router-ssr-query | 1.166.18 | All | All | All |
| Application | Tanstack | Tanstack/vue-start | 1.167.61 | All | All | All |
| Application | Tanstack | Tanstack/vue-start | 1.167.64 | All | All | All |
| Application | Tanstack | Tanstack/vue-start-client | 1.166.46 | All | All | All |
| Application | Tanstack | Tanstack/vue-start-client | 1.166.49 | All | All | All |
| Application | Tanstack | Tanstack/vue-start-server | 1.166.50 | All | All | All |
| Application | Tanstack | Tanstack/vue-start-server | 1.166.53 | All | All | All |
| Application | Tanstack | Tanstack/zod-adapter | 1.166.12 | All | All | All |
| Application | Tanstack | Tanstack/zod-adapter | 1.166.15 | All | All | All |
| Application | Uipath | Uipath/access-policy-sdk | 0.3.1 | All | All | All |
| Application | Uipath | Uipath/access-policy-tool | 0.3.1 | All | All | All |
| Application | Uipath | Uipath/admin-tool | 0.1.1 | All | All | All |
| Application | Uipath | Uipath/agent-sdk | 1.0.2 | All | All | All |
| Application | Uipath | Uipath/agent-tool | 1.0.1 | All | All | All |
| Application | Uipath | Uipath/agent.sdk | 0.0.18 | All | All | All |
| Application | Uipath | Uipath/aops-policy-tool | 0.3.1 | All | All | All |
| Application | Uipath | Uipath/ap-chat | 1.5.7 | All | All | All |
| Application | Uipath | Uipath/api-workflow-tool | 1.0.1 | All | All | All |
| Application | Uipath | Uipath/apollo-core | 5.9.2 | All | All | All |
| Application | Uipath | Uipath/apollo-react | 4.24.5 | All | All | All |
| Application | Uipath | Uipath/apollo-wind | 2.16.2 | All | All | All |
| Application | Uipath | Uipath/auth | 1.0.1 | All | All | All |
| Application | Uipath | Uipath/case-tool | 1.0.1 | All | All | All |
| Application | Uipath | Uipath/cli | 1.0.1 | All | All | All |
| Application | Uipath | Uipath/codedagent-tool | 1.0.1 | All | All | All |
| Application | Uipath | Uipath/codedagents-tool | 0.1.12 | All | All | All |
| Application | Uipath | Uipath/codedapp-tool | 1.0.1 | All | All | All |
| Application | Uipath | Uipath/common | 1.0.1 | All | All | All |
| Application | Uipath | Uipath/context-grounding-tool | 0.1.1 | All | All | All |
| Application | Uipath | Uipath/data-fabric-tool | 1.0.2 | All | All | All |
| Application | Uipath | Uipath/docsai-tool | 1.0.1 | All | All | All |
| Application | Uipath | Uipath/filesystem | 1.0.1 | All | All | All |
| Application | Uipath | Uipath/flow-tool | 1.0.2 | All | All | All |
| Application | Uipath | Uipath/functions-tool | 1.0.1 | All | All | All |
| Application | Uipath | Uipath/gov-tool | 0.3.1 | All | All | All |
| Application | Uipath | Uipath/identity-tool | 0.1.1 | All | All | All |
| Application | Uipath | Uipath/insights-sdk | 1.0.1 | All | All | All |
| Application | Uipath | Uipath/insights-tool | 1.0.1 | All | All | All |
| Application | Uipath | Uipath/integrationservice-sdk | 1.0.2 | All | All | All |
| Application | Uipath | Uipath/integrationservice-tool | 1.0.2 | All | All | All |
| Application | Uipath | Uipath/llmgw-tool | 1.0.1 | All | All | All |
| Application | Uipath | Uipath/maestro-sdk | 1.0.1 | All | All | All |
| Application | Uipath | Uipath/maestro-tool | 1.0.1 | All | All | All |
| Application | Uipath | Uipath/orchestrator-tool | 1.0.1 | All | All | All |
| Application | Uipath | Uipath/packager-tool-apiworkflow | 0.0.19 | All | All | All |
| Application | Uipath | Uipath/packager-tool-bpmn | 0.0.9 | All | All | All |
| Application | Uipath | Uipath/packager-tool-case | 0.0.9 | All | All | All |
| Application | Uipath | Uipath/packager-tool-connector | 0.0.19 | All | All | All |
| Application | Uipath | Uipath/packager-tool-flow | 0.0.19 | All | All | All |
| Application | Uipath | Uipath/packager-tool-functions | 0.1.1 | All | All | All |
| Application | Uipath | Uipath/packager-tool-webapp | 1.0.6 | All | All | All |
| Application | Uipath | Uipath/packager-tool-workflowcompiler | 0.0.16 | All | All | All |
| Application | Uipath | Uipath/packager-tool-workflowcompiler-browser | 0.0.34 | All | All | All |
| Application | Uipath | Uipath/platform-tool | 1.0.1 | All | All | All |
| Application | Uipath | Uipath/project-packager | 1.1.16 | All | All | All |
| Application | Uipath | Uipath/resource-tool | 1.0.1 | All | All | All |
| Application | Uipath | Uipath/resourcecatalog-tool | 0.1.1 | All | All | All |
| Application | Uipath | Uipath/resources-tool | 0.1.11 | All | All | All |
| Application | Uipath | Uipath/robot | 1.3.4 | All | All | All |
| Application | Uipath | Uipath/rpa-legacy-tool | 1.0.1 | All | All | All |
| Application | Uipath | Uipath/rpa-tool | 0.9.5 | All | All | All |
| Application | Uipath | Uipath/solution-packager | 0.0.35 | All | All | All |
| Application | Uipath | Uipath/solution-tool | 1.0.1 | All | All | All |
| Application | Uipath | Uipath/solutionpackager-sdk | 1.0.11 | All | All | All |
| Application | Uipath | Uipath/solutionpackager-tool-core | 0.0.34 | All | All | All |
| Application | Uipath | Uipath/tasks-tool | 1.0.1 | All | All | All |
| Application | Uipath | Uipath/telemetry | 0.0.7 | All | All | All |
| Application | Uipath | Uipath/test-manager-tool | 1.0.2 | All | All | All |
| Application | Uipath | Uipath/tool-workflowcompiler | 0.0.12 | All | All | All |
| Application | Uipath | Uipath/traces-tool | 1.0.1 | All | All | All |
| Application | Uipath | Uipath/ui-widgets-multi-file-upload | 1.0.1 | All | All | All |
| Application | Uipath | Uipath/uipath-python-bridge | 1.0.1 | All | All | All |
| Application | Uipath | Uipath/vertical-solutions-tool | 1.0.1 | All | All | All |
| Application | Uipath | Uipath/vss | 0.1.6 | All | All | All |
| Application | Uipath | Uipath/widget.sdk | 1.2.3 | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | @tanstack | Arktype-adapter | affected 1.166.12 | Not specified |
| CNA | @tanstack | Arktype-adapter | affected 1.166.15 | Not specified |
| CNA | @tanstack | Eslint-plugin-router | affected 1.161.9 | Not specified |
| CNA | @tanstack | Eslint-plugin-router | affected 1.161.12 | Not specified |
| CNA | @tanstack | Eslint-plugin-start | affected 0.0.4 | Not specified |
| CNA | @tanstack | Eslint-plugin-start | affected 0.0.7 | Not specified |
| CNA | @tanstack | History | affected 1.161.9 | Not specified |
| CNA | @tanstack | History | affected 1.161.12 | Not specified |
| CNA | @tanstack | Nitro-v2-vite-plugin | affected 1.154.12 | Not specified |
| CNA | @tanstack | Nitro-v2-vite-plugin | affected 1.154.15 | Not specified |
| CNA | @tanstack | React-router | affected 1.169.5 | Not specified |
| CNA | @tanstack | React-router | affected 1.169.8 | Not specified |
| CNA | @tanstack | React-router-devtools | affected 1.166.16 | Not specified |
| CNA | @tanstack | React-router-devtools | affected 1.166.19 | Not specified |
| CNA | @tanstack | React-router-ssr-query | affected 1.166.15 | Not specified |
| CNA | @tanstack | React-router-ssr-query | affected 1.166.18 | Not specified |
| CNA | @tanstack | React-start | affected 1.167.68 | Not specified |
| CNA | @tanstack | React-start | affected 1.167.71 | Not specified |
| CNA | @tanstack | React-start-client | affected 1.166.51 | Not specified |
| CNA | @tanstack | React-start-client | affected 1.166.54 | Not specified |
| CNA | @tanstack | React-start-rsc | affected 0.0.47 | Not specified |
| CNA | @tanstack | React-start-rsc | affected 0.0.50 | Not specified |
| CNA | @tanstack | React-start-server | affected 1.166.55 | Not specified |
| CNA | @tanstack | React-start-server | affected 1.166.58 | Not specified |
| CNA | @tanstack | Router-cli | affected 1.166.46 | Not specified |
| CNA | @tanstack | Router-cli | affected 1.166.49 | Not specified |
| CNA | @tanstack | Router-core | affected 1.169.5 | Not specified |
| CNA | @tanstack | Router-core | affected 1.169.8 | Not specified |
| CNA | @tanstack | Router-devtools | affected 1.166.16 | Not specified |
| CNA | @tanstack | Router-devtools | affected 1.166.19 | Not specified |
| CNA | @tanstack | Router-devtools-core | affected 1.167.6 | Not specified |
| CNA | @tanstack | Router-devtools-core | affected 1.167.9 | Not specified |
| CNA | @tanstack | Router-generator | affected 1.166.45 | Not specified |
| CNA | @tanstack | Router-generator | affected 1.166.48 | Not specified |
| CNA | @tanstack | Router-plugin | affected 1.167.38 | Not specified |
| CNA | @tanstack | Router-plugin | affected 1.167.41 | Not specified |
| CNA | @tanstack | Router-ssr-query-core | affected 1.168.3 | Not specified |
| CNA | @tanstack | Router-ssr-query-core | affected 1.168.6 | Not specified |
| CNA | @tanstack | Router-utils | affected 1.161.11 | Not specified |
| CNA | @tanstack | Router-utils | affected 1.161.14 | Not specified |
| CNA | @tanstack | Outer-vite-plugin | affected 1.166.53 | Not specified |
| CNA | @tanstack | Outer-vite-plugin | affected 1.166.56 | Not specified |
| CNA | @tanstack | Solid-router | affected 1.169.5 | Not specified |
| CNA | @tanstack | Solid-router | affected 1.169.8 | Not specified |
| CNA | @tanstack | Solid-router-devtools | affected 1.166.16 | Not specified |
| CNA | @tanstack | Solid-router-devtools | affected 1.166.19 | Not specified |
| CNA | @tanstack | Solid-router-ssr-query | affected 1.166.15 | Not specified |
| CNA | @tanstack | Solid-router-ssr-query | affected 1.166.18 | Not specified |
| CNA | @tanstack | Solid-start | affected 1.167.65 | Not specified |
| CNA | @tanstack | Solid-start | affected 1.167.68 | Not specified |
| CNA | @tanstack | Solid-start-client | affected 1.166.50 | Not specified |
| CNA | @tanstack | Solid-start-client | affected 1.166.53 | Not specified |
| CNA | @tanstack | Solid-start-server | affected 1.166.54 | Not specified |
| CNA | @tanstack | Solid-start-server | affected 1.166.57 | Not specified |
| CNA | @tanstack | Start-client-core | affected 1.168.5 | Not specified |
| CNA | @tanstack | Start-client-core | affected 1.168.8 | Not specified |
| CNA | @tanstack | Start-fn-stubs | affected 1.161.9 | Not specified |
| CNA | @tanstack | Start-fn-stubs | affected 1.161.12 | Not specified |
| CNA | @tanstack | Start-plugin-core | affected 1.169.23 | Not specified |
| CNA | @tanstack | Start-plugin-core | affected 1.169.26 | Not specified |
| CNA | @tanstack | Start-server-core | affected 1.167.33 | Not specified |
| CNA | @tanstack | Start-server-core | affected 1.167.36 | Not specified |
| CNA | @tanstack | Start-static-server-functions | affected 1.166.44 | Not specified |
| CNA | @tanstack | Start-static-server-functions | affected 1.166.47 | Not specified |
| CNA | @tanstack | Start-storage-context | affected 1.166.38 | Not specified |
| CNA | @tanstack | Start-storage-context | affected 1.166.41 | Not specified |
| CNA | @tanstack | Valibot-adapter | affected 1.166.12 | Not specified |
| CNA | @tanstack | Valibot-adapter | affected 1.166.15 | Not specified |
| CNA | @tanstack | Virtual-file-routes | affected 1.161.10 | Not specified |
| CNA | @tanstack | Virtual-file-routes | affected 1.161.13 | Not specified |
| CNA | @tanstack | Vue-router | affected 1.169.5 | Not specified |
| CNA | @tanstack | Vue-router | affected 1.169.8 | Not specified |
| CNA | @tanstack | Vue-router-devtools | affected 1.166.16 | Not specified |
| CNA | @tanstack | Vue-router-devtools | affected 1.166.19 | Not specified |
| CNA | @tanstack | Vue-router-ssr-query | affected 1.166.15 | Not specified |
| CNA | @tanstack | Vue-router-ssr-query | affected 1.166.18 | Not specified |
| CNA | @tanstack | Vue-start | affected 1.167.61 | Not specified |
| CNA | @tanstack | Vue-start | affected 1.167.64 | Not specified |
| CNA | @tanstack | Vue-start-client | affected 1.166.46 | Not specified |
| CNA | @tanstack | Vue-start-client | affected 1.166.49 | Not specified |
| CNA | @tanstack | Vue-start-server | affected 1.166.50 | Not specified |
| CNA | @tanstack | Vue-start-server | affected 1.166.53 | Not specified |
| CNA | @tanstack | Zod-adapter | affected 1.166.12 | Not specified |
| CNA | @tanstack | Zod-adapter | affected 1.166.15 | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/TanStack/router/issues/7383 | [email protected] | github.com | Issue Tracking |
| www.cisa.gov/known-exploited-vulnerabilities-catalog | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | www.cisa.gov | US Government Resource |
| www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-at... | [email protected] | www.stepsecurity.io | Exploit, Third Party Advisory |
| github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx | [email protected] | github.com | Mitigation, Vendor Advisory |
| tanstack.com/blog/npm-supply-chain-compromise-postmortem | [email protected] | tanstack.com | Exploit, Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
| CISA Known Exploited Vulnerabilities catalog | CISA | www.cisa.gov | kev |
No vendor comments have been submitted for this CVE.
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-05-27T00:00:00.000Z | CVE-2026-45321 added to CISA KEV |
There are currently no legacy QID mappings associated with this CVE.