Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-45772 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-45772 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-45772 is an arbitrary code execution vulnerability in Vercel's Turborepo, a high-performance build system for JavaScript and TypeScript codebases, affecting versions 1.1.0 through 2.9.13.

Technical Detail

The flaw allows arbitrary code execution when Turborepo is run within an untrusted repository, suggesting the build system processes repository-supplied configuration or scripts without adequate sandboxing or input validation. An attacker who controls or can influence repository contents, such as configuration files or build scripts ingested by Turborepo, could trigger execution of malicious code in the context of the developer or CI/CD pipeline running the tool. The impact is full code execution on the host running the build, which in CI/CD environments can result in secrets theft, supply chain compromise, or lateral movement into deployment infrastructure.

Exploitation Status

No known exploit exists for this vulnerability at this time. The exploit maturity is assessed as none, and this CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog. The absence of a public exploit does not reduce the severity given the straightforward attack surface in developer and CI/CD workflows.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been identified in connection with this vulnerability.

What To Do

Upgrade Turborepo to version 2.9.14 or later immediately, as this is the confirmed patched release. Organizations running Turborepo in CI/CD pipelines should treat this as a high-priority patch given the critical CVSS score of 9.8 and the risk of supply chain compromise through developer tooling. As an interim measure, restrict Turborepo execution to trusted, internally controlled repositories and audit any third-party or forked repositories being built with Turborepo. Review CI/CD pipeline permissions to limit the blast radius of any code execution occurring within build jobs, including scoping secrets access and isolating build environments.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →