CVE-2026-45321
CRITICAL CISA KEV EPSS 81.5%
Published May 12, 20261mo ago · Modified Jun 17, 20261w ago
9.6 CVSS 3.1
Published May 12, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago
KEV Listed May 27, 2026 1mo ago
KEV Due Jun 10, 2026 19d overdue
Description
On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality High
Integrity High
Availability High
Threat Intelligence
CISA Known Exploited Overdue 19d
- Added
- May 27, 2026
- Due
- Jun 10, 2026
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
EPSS Exploit Probability
81.5% percentile
Exploit & Patch Status
Actively Exploited (KEV)
No Patch Available
Weaknesses 1
CWE-506
Affected Products 343
| Vendor | Product | Version | Range |
|---|---|---|---|
| tanstack | tanstack\/arktype-adapter | 1.166.12 | any |
| tanstack | tanstack\/arktype-adapter | 1.166.15 | any |
| tanstack | tanstack\/eslint-plugin-router | 1.161.9 | any |
| tanstack | tanstack\/eslint-plugin-router | 1.161.12 | any |
| tanstack | tanstack\/eslint-plugin-start | 0.0.4 | any |
| tanstack | tanstack\/eslint-plugin-start | 0.0.7 | any |
| tanstack | tanstack\/history | 1.161.9 | any |
| tanstack | tanstack\/history | 1.161.12 | any |
| tanstack | tanstack\/nitro-v2-vite-plugin | 1.154.12 | any |
| tanstack | tanstack\/nitro-v2-vite-plugin | 1.154.15 | any |
| tanstack | tanstack\/react-router | 1.169.5 | any |
| tanstack | tanstack\/react-router | 1.169.8 | any |
| tanstack | tanstack\/react-router-devtools | 1.166.16 | any |
| tanstack | tanstack\/react-router-devtools | 1.166.19 | any |
| tanstack | tanstack\/react-router-ssr-query | 1.166.15 | any |
| tanstack | tanstack\/react-router-ssr-query | 1.166.18 | any |
| tanstack | tanstack\/react-start | 1.167.68 | any |
| tanstack | tanstack\/react-start | 1.167.71 | any |
| tanstack | tanstack\/react-start-client | 1.166.51 | any |
| tanstack | tanstack\/react-start-client | 1.166.54 | any |
| tanstack | tanstack\/react-start-rsc | 0.0.47 | any |
| tanstack | tanstack\/react-start-rsc | 0.0.50 | any |
| tanstack | tanstack\/react-start-server | 1.166.55 | any |
| tanstack | tanstack\/react-start-server | 1.166.58 | any |
| tanstack | tanstack\/router-cli | 1.166.46 | any |
| tanstack | tanstack\/router-cli | 1.166.49 | any |
| tanstack | tanstack\/router-core | 1.169.5 | any |
| tanstack | tanstack\/router-core | 1.169.8 | any |
| tanstack | tanstack\/router-devtools | 1.166.16 | any |
| tanstack | tanstack\/router-devtools | 1.166.19 | any |
| tanstack | tanstack\/router-devtools-core | 1.167.6 | any |
| tanstack | tanstack\/router-devtools-core | 1.167.9 | any |
| tanstack | tanstack\/router-generator | 1.166.45 | any |
| tanstack | tanstack\/router-generator | 1.166.48 | any |
| tanstack | tanstack\/router-plugin | 1.167.38 | any |
| tanstack | tanstack\/router-plugin | 1.167.41 | any |
| tanstack | tanstack\/router-ssr-query-core | 1.168.3 | any |
| tanstack | tanstack\/router-ssr-query-core | 1.168.6 | any |
| tanstack | tanstack\/router-utils | 1.161.11 | any |
| tanstack | tanstack\/router-utils | 1.161.14 | any |
| tanstack | tanstack\/router-vite-plugin | 1.166.53 | any |
| tanstack | tanstack\/router-vite-plugin | 1.166.56 | any |
| tanstack | tanstack\/solid-router | 1.169.5 | any |
| tanstack | tanstack\/solid-router | 1.169.8 | any |
| tanstack | tanstack\/solid-router-devtools | 1.166.16 | any |
| tanstack | tanstack\/solid-router-devtools | 1.166.19 | any |
| tanstack | tanstack\/solid-router-ssr-query | 1.166.15 | any |
| tanstack | tanstack\/solid-router-ssr-query | 1.166.18 | any |
| tanstack | tanstack\/solid-start | 1.167.65 | any |
| tanstack | tanstack\/solid-start | 1.167.68 | any |
| tanstack | tanstack\/solid-start-client | 1.166.50 | any |
| tanstack | tanstack\/solid-start-client | 1.166.53 | any |
| tanstack | tanstack\/solid-start-server | 1.166.54 | any |
| tanstack | tanstack\/solid-start-server | 1.166.57 | any |
| tanstack | tanstack\/start-client-core | 1.168.5 | any |
| tanstack | tanstack\/start-client-core | 1.168.8 | any |
| tanstack | tanstack\/start-fn-stubs | 1.161.9 | any |
| tanstack | tanstack\/start-fn-stubs | 1.161.12 | any |
| tanstack | tanstack\/start-plugin-core | 1.169.23 | any |
| tanstack | tanstack\/start-plugin-core | 1.169.26 | any |
| tanstack | tanstack\/start-server-core | 1.167.33 | any |
| tanstack | tanstack\/start-server-core | 1.167.36 | any |
| tanstack | tanstack\/start-static-server-functions | 1.166.44 | any |
| tanstack | tanstack\/start-static-server-functions | 1.166.47 | any |
| tanstack | tanstack\/start-storage-context | 1.166.38 | any |
| tanstack | tanstack\/start-storage-context | 1.166.41 | any |
| tanstack | tanstack\/valibot-adapter | 1.166.12 | any |
| tanstack | tanstack\/valibot-adapter | 1.166.15 | any |
| tanstack | tanstack\/virtual-file-routes | 1.161.10 | any |
| tanstack | tanstack\/virtual-file-routes | 1.161.13 | any |
| tanstack | tanstack\/vue-router | 1.169.5 | any |
| tanstack | tanstack\/vue-router | 1.169.8 | any |
| tanstack | tanstack\/vue-router-devtools | 1.166.16 | any |
| tanstack | tanstack\/vue-router-devtools | 1.166.19 | any |
| tanstack | tanstack\/vue-router-ssr-query | 1.166.15 | any |
| tanstack | tanstack\/vue-router-ssr-query | 1.166.18 | any |
| tanstack | tanstack\/vue-start | 1.167.61 | any |
| tanstack | tanstack\/vue-start | 1.167.64 | any |
| tanstack | tanstack\/vue-start-client | 1.166.46 | any |
| tanstack | tanstack\/vue-start-client | 1.166.49 | any |
| tanstack | tanstack\/vue-start-server | 1.166.50 | any |
| tanstack | tanstack\/vue-start-server | 1.166.53 | any |
| tanstack | tanstack\/zod-adapter | 1.166.12 | any |
| tanstack | tanstack\/zod-adapter | 1.166.15 | any |
| mistral | mistralai | 2.4.6 | any |
| mistral | mistralai\/mistralai | 2.2.3 | any |
| mistral | mistralai\/mistralai | 2.2.4 | any |
| mistral | mistralai\/mistralai-azure | 1.7.2 | any |
| mistral | mistralai\/mistralai-azure | 1.7.3 | any |
| mistral | mistralai\/mistralai-gcp | 1.7.2 | any |
| mistral | mistralai\/mistralai-gcp | 1.7.3 | any |
| antoinebcx | ml-toolkit-ts | 1.0.4 | any |
| antoinebcx | ml-toolkit-ts | 1.0.5 | any |
| antoinebcx | ml-toolkit-ts\/preprocessing | 1.0.2 | any |
| antoinebcx | ml-toolkit-ts\/preprocessing | 1.0.3 | any |
| antoinebcx | ml-toolkit-ts\/xgboost | 1.0.3 | any |
| antoinebcx | ml-toolkit-ts\/xgboost | 1.0.4 | any |
| beproduct | beproduct\/nestjs-auth | 0.1.2 | any |
| beproduct | beproduct\/nestjs-auth | 0.1.3 | any |
| beproduct | beproduct\/nestjs-auth | 0.1.4 | any |
| beproduct | beproduct\/nestjs-auth | 0.1.5 | any |
| beproduct | beproduct\/nestjs-auth | 0.1.6 | any |
| beproduct | beproduct\/nestjs-auth | 0.1.7 | any |
| beproduct | beproduct\/nestjs-auth | 0.1.8 | any |
| beproduct | beproduct\/nestjs-auth | 0.1.9 | any |
| beproduct | beproduct\/nestjs-auth | 0.1.10 | any |
| beproduct | beproduct\/nestjs-auth | 0.1.11 | any |
| beproduct | beproduct\/nestjs-auth | 0.1.12 | any |
| beproduct | beproduct\/nestjs-auth | 0.1.13 | any |
| beproduct | beproduct\/nestjs-auth | 0.1.14 | any |
| beproduct | beproduct\/nestjs-auth | 0.1.15 | any |
| beproduct | beproduct\/nestjs-auth | 0.1.16 | any |
| beproduct | beproduct\/nestjs-auth | 0.1.17 | any |
| beproduct | beproduct\/nestjs-auth | 0.1.19 | any |
| christianalares | git-git-git | 1.0.8 | any |
| christianalares | git-git-git | 1.0.9 | any |
| christianalares | git-git-git | 1.0.10 | any |
| christianalares | git-git-git | 1.0.12 | any |
| christianalares | git_branch_selector | 1.3.3 | any |
| christianalares | git_branch_selector | 1.3.4 | any |
| christianalares | git_branch_selector | 1.3.5 | any |
| christianalares | git_branch_selector | 1.3.7 | any |
| christianalares | nextmove-mcp | 0.1.3 | any |
| christianalares | nextmove-mcp | 0.1.4 | any |
| christianalares | nextmove-mcp | 0.1.5 | any |
| christianalares | nextmove-mcp | 0.1.7 | any |
| christianalares | tolka\/cli | 1.0.2 | any |
| christianalares | tolka\/cli | 1.0.3 | any |
| christianalares | tolka\/cli | 1.0.4 | any |
| christianalares | tolka\/cli | 1.0.6 | any |
| multiagentcognition | cmux-agent-mcp | 0.1.3 | any |
| multiagentcognition | cmux-agent-mcp | 0.1.4 | any |
| multiagentcognition | cmux-agent-mcp | 0.1.5 | any |
| multiagentcognition | cmux-agent-mcp | 0.1.6 | any |
| multiagentcognition | cmux-agent-mcp | 0.1.7 | any |
| multiagentcognition | cmux-agent-mcp | 0.1.8 | any |
| abhishake1 | supersurkhet\/cli | 0.0.2 | any |
| abhishake1 | supersurkhet\/cli | 0.0.3 | any |
| abhishake1 | supersurkhet\/cli | 0.0.4 | any |
| abhishake1 | supersurkhet\/cli | 0.0.5 | any |
| abhishake1 | supersurkhet\/cli | 0.0.6 | any |
| abhishake1 | supersurkhet\/cli | 0.0.7 | any |
| abhishake1 | supersurkhet\/sdk | 0.0.2 | any |
| abhishake1 | supersurkhet\/sdk | 0.0.3 | any |
| abhishake1 | supersurkhet\/sdk | 0.0.4 | any |
| abhishake1 | supersurkhet\/sdk | 0.0.5 | any |
| abhishake1 | supersurkhet\/sdk | 0.0.6 | any |
| abhishake1 | supersurkhet\/sdk | 0.0.7 | any |
| abhishake1 | taskflow-corp\/cli | 0.1.24 | any |
| abhishake1 | taskflow-corp\/cli | 0.1.25 | any |
| abhishake1 | taskflow-corp\/cli | 0.1.26 | any |
| abhishake1 | taskflow-corp\/cli | 0.1.27 | any |
| abhishake1 | taskflow-corp\/cli | 0.1.28 | any |
| abhishake1 | taskflow-corp\/cli | 0.1.29 | any |
| kilbot | tallyui\/components | 1.0.1 | any |
| kilbot | tallyui\/components | 1.0.2 | any |
| kilbot | tallyui\/components | 1.0.3 | any |
| kilbot | tallyui\/connector-medusa | 1.0.1 | any |
| kilbot | tallyui\/connector-medusa | 1.0.2 | any |
| kilbot | tallyui\/connector-medusa | 1.0.3 | any |
| kilbot | tallyui\/connector-shopify | 1.0.1 | any |
| kilbot | tallyui\/connector-shopify | 1.0.2 | any |
| kilbot | tallyui\/connector-shopify | 1.0.3 | any |
| kilbot | tallyui\/connector-vendure | 1.0.1 | any |
| kilbot | tallyui\/connector-vendure | 1.0.2 | any |
| kilbot | tallyui\/connector-vendure | 1.0.3 | any |
| kilbot | tallyui\/connector-woocommerce | 1.0.1 | any |
| kilbot | tallyui\/connector-woocommerce | 1.0.2 | any |
| kilbot | tallyui\/connector-woocommerce | 1.0.3 | any |
| kilbot | tallyui\/core | 0.2.1 | any |
| kilbot | tallyui\/core | 0.2.2 | any |
| kilbot | tallyui\/core | 0.2.3 | any |
| kilbot | tallyui\/database | 1.0.1 | any |
| kilbot | tallyui\/database | 1.0.2 | any |
| kilbot | tallyui\/database | 1.0.3 | any |
| kilbot | tallyui\/pos | 0.1.1 | any |
| kilbot | tallyui\/pos | 0.1.2 | any |
| kilbot | tallyui\/pos | 0.1.3 | any |
| kilbot | tallyui\/storage-sqlite | 0.2.1 | any |
| kilbot | tallyui\/storage-sqlite | 0.2.2 | any |
| kilbot | tallyui\/storage-sqlite | 0.2.3 | any |
| kilbot | tallyui\/theme | 0.2.1 | any |
| kilbot | tallyui\/theme | 0.2.2 | any |
| kilbot | tallyui\/theme | 0.2.3 | any |
| matheuspergoli | draftauth\/client | 0.2.1 | any |
| matheuspergoli | draftauth\/client | 0.2.2 | any |
| matheuspergoli | draftauth\/core | 0.13.1 | any |
| matheuspergoli | draftauth\/core | 0.13.2 | any |
| matheuspergoli | draftlab\/auth | 0.24.1 | any |
| matheuspergoli | draftlab\/auth | 0.24.2 | any |
| matheuspergoli | draftlab\/auth-router | 0.5.1 | any |
| matheuspergoli | draftlab\/auth-router | 0.5.2 | any |
| matheuspergoli | draftlab\/db | 0.16.1 | any |
| matheuspergoli | draftlab\/db | 0.16.2 | any |
| matheuspergoli | simple_type-safe_actions | 0.8.3 | any |
| matheuspergoli | simple_type-safe_actions | 0.8.4 | any |
| neilcochran | cross-stitch | 1.1.3 | any |
| neilcochran | cross-stitch | 1.1.4 | any |
| neilcochran | cross-stitch | 1.1.6 | any |
| neilcochran | squawk\/airports | 0.6.2 | any |
| neilcochran | squawk\/airports | 0.6.3 | any |
| neilcochran | squawk\/airports | 0.6.5 | any |
| neilcochran | squawk\/airspace | 0.8.1 | any |
| neilcochran | squawk\/airspace | 0.8.2 | any |
| neilcochran | squawk\/airspace | 0.8.4 | any |
| neilcochran | squawk\/airspace-data | 0.5.3 | any |
| neilcochran | squawk\/airspace-data | 0.5.4 | any |
| neilcochran | squawk\/airspace-data | 0.5.6 | any |
| neilcochran | squawk\/airway-data | 0.5.4 | any |
| neilcochran | squawk\/airway-data | 0.5.5 | any |
| neilcochran | squawk\/airway-data | 0.5.7 | any |
| neilcochran | squawk\/airways | 0.4.2 | any |
| neilcochran | squawk\/airways | 0.4.3 | any |
| neilcochran | squawk\/airways | 0.4.5 | any |
| neilcochran | squawk\/fix-data | 0.6.4 | any |
| neilcochran | squawk\/fix-data | 0.6.5 | any |
| neilcochran | squawk\/fix-data | 0.6.7 | any |
| neilcochran | squawk\/fixes | 0.3.2 | any |
| neilcochran | squawk\/fixes | 0.3.3 | any |
| neilcochran | squawk\/fixes | 0.3.5 | any |
| neilcochran | squawk\/flight-math | 0.5.4 | any |
| neilcochran | squawk\/flight-math | 0.5.5 | any |
| neilcochran | squawk\/flight-math | 0.5.7 | any |
| neilcochran | squawk\/flightplan | 0.5.2 | any |
| neilcochran | squawk\/flightplan | 0.5.3 | any |
| neilcochran | squawk\/flightplan | 0.5.5 | any |
| neilcochran | squawk\/geo | 0.4.4 | any |
| neilcochran | squawk\/geo | 0.4.5 | any |
| neilcochran | squawk\/geo | 0.4.7 | any |
| neilcochran | squawk\/icao-registry | 0.5.2 | any |
| neilcochran | squawk\/icao-registry | 0.5.3 | any |
| neilcochran | squawk\/icao-registry | 0.5.5 | any |
| neilcochran | squawk\/icao-registry-data | 0.8.4 | any |
| neilcochran | squawk\/icao-registry-data | 0.8.5 | any |
| neilcochran | squawk\/icao-registry-data | 0.8.7 | any |
| neilcochran | squawk\/mcp | 0.9.1 | any |
| neilcochran | squawk\/mcp | 0.9.2 | any |
| neilcochran | squawk\/mcp | 0.9.4 | any |
| neilcochran | squawk\/navaid-data | 0.6.4 | any |
| neilcochran | squawk\/navaid-data | 0.6.5 | any |
| neilcochran | squawk\/navaid-data | 0.6.7 | any |
| neilcochran | squawk\/navaids | 0.4.2 | any |
| neilcochran | squawk\/navaids | 0.4.3 | any |
| neilcochran | squawk\/navaids | 0.4.5 | any |
| neilcochran | squawk\/notams | 0.3.6 | any |
| neilcochran | squawk\/notams | 0.3.7 | any |
| neilcochran | squawk\/notams | 0.3.9 | any |
| neilcochran | squawk\/procedure-data | 0.7.3 | any |
| neilcochran | squawk\/procedure-data | 0.7.4 | any |
| neilcochran | squawk\/procedure-data | 0.7.6 | any |
| neilcochran | squawk\/procedures | 0.5.2 | any |
| neilcochran | squawk\/procedures | 0.5.3 | any |
| neilcochran | squawk\/procedures | 0.5.5 | any |
| neilcochran | squawk\/types | 0.8.1 | any |
| neilcochran | squawk\/types | 0.8.2 | any |
| neilcochran | squawk\/types | 0.8.4 | any |
| neilcochran | squawk\/units | 0.4.3 | any |
| neilcochran | squawk\/units | 0.4.4 | any |
| neilcochran | squawk\/units | 0.4.6 | any |
| neilcochran | squawk\/weather | 0.5.6 | any |
| neilcochran | squawk\/weather | 0.5.7 | any |
| neilcochran | squawk\/weather | 0.5.9 | any |
| neilcochran | ts-dna | 3.0.1 | any |
| neilcochran | ts-dna | 3.0.2 | any |
| neilcochran | ts-dna | 3.0.4 | any |
| neilcochran | wot-api | 0.8.1 | any |
| neilcochran | wot-api | 0.8.2 | any |
| neilcochran | wot-api | 0.8.4 | any |
| agentworkhq | agentwork-cli | 0.1.4 | any |
| agentworkhq | agentwork-cli | 0.1.5 | any |
| dirigible | dirigible-ai\/sdk | 0.6.2 | any |
| dirigible | dirigible-ai\/sdk | 0.6.3 | any |
| guardrailsai | guardrails_ai | 0.10.1 | any |
| linuxfoundation | opensearch | 3.6.2 | any |
| mesa | mesadev\/rest | 0.28.3 | any |
| mesa | mesadev\/saguaro | 0.4.22 | any |
| mesa | mesadev\/sdk | 0.28.3 | any |
| uipath | uipath\/access-policy-sdk | 0.3.1 | any |
| uipath | uipath\/access-policy-tool | 0.3.1 | any |
| uipath | uipath\/admin-tool | 0.1.1 | any |
| uipath | uipath\/agent-sdk | 1.0.2 | any |
| uipath | uipath\/agent-tool | 1.0.1 | any |
| uipath | uipath\/agent.sdk | 0.0.18 | any |
| uipath | uipath\/aops-policy-tool | 0.3.1 | any |
| uipath | uipath\/ap-chat | 1.5.7 | any |
| uipath | uipath\/api-workflow-tool | 1.0.1 | any |
| uipath | uipath\/apollo-core | 5.9.2 | any |
| uipath | uipath\/apollo-react | 4.24.5 | any |
| uipath | uipath\/apollo-wind | 2.16.2 | any |
| uipath | uipath\/auth | 1.0.1 | any |
| uipath | uipath\/case-tool | 1.0.1 | any |
| uipath | uipath\/cli | 1.0.1 | any |
| uipath | uipath\/codedagent-tool | 1.0.1 | any |
| uipath | uipath\/codedagents-tool | 0.1.12 | any |
| uipath | uipath\/codedapp-tool | 1.0.1 | any |
| uipath | uipath\/common | 1.0.1 | any |
| uipath | uipath\/context-grounding-tool | 0.1.1 | any |
| uipath | uipath\/data-fabric-tool | 1.0.2 | any |
| uipath | uipath\/docsai-tool | 1.0.1 | any |
| uipath | uipath\/filesystem | 1.0.1 | any |
| uipath | uipath\/flow-tool | 1.0.2 | any |
| uipath | uipath\/functions-tool | 1.0.1 | any |
| uipath | uipath\/gov-tool | 0.3.1 | any |
| uipath | uipath\/identity-tool | 0.1.1 | any |
| uipath | uipath\/insights-sdk | 1.0.1 | any |
| uipath | uipath\/insights-tool | 1.0.1 | any |
| uipath | uipath\/integrationservice-sdk | 1.0.2 | any |
| uipath | uipath\/integrationservice-tool | 1.0.2 | any |
| uipath | uipath\/llmgw-tool | 1.0.1 | any |
| uipath | uipath\/maestro-sdk | 1.0.1 | any |
| uipath | uipath\/maestro-tool | 1.0.1 | any |
| uipath | uipath\/orchestrator-tool | 1.0.1 | any |
| uipath | uipath\/packager-tool-apiworkflow | 0.0.19 | any |
| uipath | uipath\/packager-tool-bpmn | 0.0.9 | any |
| uipath | uipath\/packager-tool-case | 0.0.9 | any |
| uipath | uipath\/packager-tool-connector | 0.0.19 | any |
| uipath | uipath\/packager-tool-flow | 0.0.19 | any |
| uipath | uipath\/packager-tool-functions | 0.1.1 | any |
| uipath | uipath\/packager-tool-webapp | 1.0.6 | any |
| uipath | uipath\/packager-tool-workflowcompiler | 0.0.16 | any |
| uipath | uipath\/packager-tool-workflowcompiler-browser | 0.0.34 | any |
| uipath | uipath\/platform-tool | 1.0.1 | any |
| uipath | uipath\/project-packager | 1.1.16 | any |
| uipath | uipath\/resource-tool | 1.0.1 | any |
| uipath | uipath\/resourcecatalog-tool | 0.1.1 | any |
| uipath | uipath\/resources-tool | 0.1.11 | any |
| uipath | uipath\/robot | 1.3.4 | any |
| uipath | uipath\/rpa-legacy-tool | 1.0.1 | any |
| uipath | uipath\/rpa-tool | 0.9.5 | any |
| uipath | uipath\/solution-packager | 0.0.35 | any |
| uipath | uipath\/solution-tool | 1.0.1 | any |
| uipath | uipath\/solutionpackager-sdk | 1.0.11 | any |
| uipath | uipath\/solutionpackager-tool-core | 0.0.34 | any |
| uipath | uipath\/tasks-tool | 1.0.1 | any |
| uipath | uipath\/telemetry | 0.0.7 | any |
| uipath | uipath\/test-manager-tool | 1.0.2 | any |
| uipath | uipath\/tool-workflowcompiler | 0.0.12 | any |
| uipath | uipath\/traces-tool | 1.0.1 | any |
| uipath | uipath\/ui-widgets-multi-file-upload | 1.0.1 | any |
| uipath | uipath\/uipath-python-bridge | 1.0.1 | any |
| uipath | uipath\/vertical-solutions-tool | 1.0.1 | any |
| uipath | uipath\/vss | 0.1.6 | any |
| uipath | uipath\/widget.sdk | 1.2.3 | any |
References 5
- github.com https://github.com/TanStack/router/issues/7383
- github.com https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx
- tanstack.com https://tanstack.com/blog/npm-supply-chain-compromise-postmortem
- cisa.gov https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-45321
- stepsecurity.io https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.