{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "cpe": [
              "cpe:2.3:a:neilcochran:squawk\\/airports:0.6.2:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/airspace-data:0.5.4:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/airway-data:0.5.4:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/airways:0.4.2:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/airways:0.4.5:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/fix-data:0.6.4:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/flight-math:0.5.4:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/geo:0.4.4:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/geo:0.4.5:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/navaid-data:0.6.4:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/navaids:0.4.2:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/navaids:0.4.5:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/units:0.4.4:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/airports:0.6.3:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/airway-data:0.5.5:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/fixes:0.3.5:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/flight-math:0.5.5:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/flightplan:0.5.5:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/icao-registry:0.5.5:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/procedure-data:0.7.3:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/procedures:0.5.5:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/airspace:0.8.1:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/types:0.8.1:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:wot-api:0.8.1:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/airspace:0.8.2:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/types:0.8.2:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:wot-api:0.8.2:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/airspace:0.8.4:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/airways:0.4.3:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/flightplan:0.5.2:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/icao-registry:0.5.2:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/icao-registry-data:0.8.4:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/navaids:0.4.3:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/procedures:0.5.2:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/types:0.8.4:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/units:0.4.3:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:wot-api:0.8.4:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/airspace-data:0.5.3:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/flightplan:0.5.3:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/icao-registry:0.5.3:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/icao-registry-data:0.8.7:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/procedures:0.5.3:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/airway-data:0.5.7:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/fix-data:0.6.7:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/flight-math:0.5.7:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/geo:0.4.7:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/navaid-data:0.6.7:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/notams:0.3.7:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/weather:0.5.7:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/weather:0.5.9:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/fixes:0.3.2:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/fixes:0.3.3:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:neilcochran:squawk\\/icao-registry-data:0.8.5:*:*:*:*:node.js:*:*"
            ],
            "extracted_events": [
              {
                "introduced": "0.6.2"
              },
              {
                "last_affected": "0.6.2"
              },
              {
                "introduced": "0.5.4"
              },
              {
                "last_affected": "0.5.4"
              },
              {
                "introduced": "0.4.2"
              },
              {
                "last_affected": "0.4.2"
              },
              {
                "introduced": "0.4.5"
              },
              {
                "last_affected": "0.4.5"
              },
              {
                "introduced": "0.6.4"
              },
              {
                "last_affected": "0.6.4"
              },
              {
                "introduced": "0.4.4"
              },
              {
                "last_affected": "0.4.4"
              },
              {
                "introduced": "0.6.3"
              },
              {
                "last_affected": "0.6.3"
              },
              {
                "introduced": "0.5.5"
              },
              {
                "last_affected": "0.5.5"
              },
              {
                "introduced": "0.3.5"
              },
              {
                "last_affected": "0.3.5"
              },
              {
                "introduced": "0.7.3"
              },
              {
                "last_affected": "0.7.3"
              },
              {
                "introduced": "0.8.1"
              },
              {
                "last_affected": "0.8.1"
              },
              {
                "introduced": "0.8.2"
              },
              {
                "last_affected": "0.8.2"
              },
              {
                "introduced": "0.8.4"
              },
              {
                "last_affected": "0.8.4"
              },
              {
                "introduced": "0.4.3"
              },
              {
                "last_affected": "0.4.3"
              },
              {
                "introduced": "0.5.2"
              },
              {
                "last_affected": "0.5.2"
              },
              {
                "introduced": "0.5.3"
              },
              {
                "last_affected": "0.5.3"
              },
              {
                "introduced": "0.8.7"
              },
              {
                "last_affected": "0.8.7"
              },
              {
                "introduced": "0.5.7"
              },
              {
                "last_affected": "0.5.7"
              },
              {
                "introduced": "0.6.7"
              },
              {
                "last_affected": "0.6.7"
              },
              {
                "introduced": "0.4.7"
              },
              {
                "last_affected": "0.4.7"
              },
              {
                "introduced": "0.3.7"
              },
              {
                "last_affected": "0.3.7"
              },
              {
                "introduced": "0.5.9"
              },
              {
                "last_affected": "0.5.9"
              },
              {
                "introduced": "0.3.2"
              },
              {
                "last_affected": "0.3.2"
              },
              {
                "introduced": "0.3.3"
              },
              {
                "last_affected": "0.3.3"
              },
              {
                "introduced": "0.8.5"
              },
              {
                "last_affected": "0.8.5"
              }
            ],
            "source": "CPE_STRING"
          },
          "events": [
            {
              "introduced": "a60d00be86de161b30f2c5ae2d1cd296ae40f563"
            },
            {
              "last_affected": "ef89c4e2a575eadcc03264344908c08ec7c7c890"
            }
          ],
          "repo": "https://github.com/neilcochran/squawk",
          "type": "GIT"
        },
        {
          "database_specific": {
            "cpe": [
              "cpe:2.3:a:tanstack:tanstack\\/arktype-adapter:1.166.12:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/valibot-adapter:1.166.12:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/zod-adapter:1.166.12:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/arktype-adapter:1.166.15:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/react-router-ssr-query:1.166.15:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/solid-router-ssr-query:1.166.15:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/valibot-adapter:1.166.15:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/vue-router-ssr-query:1.166.15:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/zod-adapter:1.166.15:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/eslint-plugin-start:0.0.4:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/eslint-plugin-start:0.0.7:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/nitro-v2-vite-plugin:1.154.12:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/react-router:1.169.5:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/router-core:1.169.5:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/solid-router:1.169.5:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/vue-router:1.169.5:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/react-router:1.169.8:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/router-core:1.169.8:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/solid-router:1.169.8:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/vue-router:1.169.8:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/react-router-devtools:1.166.16:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/router-devtools:1.166.16:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/solid-router-devtools:1.166.16:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/vue-router-devtools:1.166.16:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/react-router-devtools:1.166.19:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/router-devtools:1.166.19:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/router-devtools-core:1.167.9:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/solid-router-devtools:1.166.19:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/vue-router-devtools:1.166.19:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/react-router-ssr-query:1.166.18:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/solid-router-ssr-query:1.166.18:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/vue-router-ssr-query:1.166.18:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/react-start-client:1.166.51:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/start-static-server-functions:1.166.47:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/vue-start:1.167.61:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/vue-start:1.167.64:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/router-cli:1.166.46:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/solid-start-client:1.166.50:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/vue-start-client:1.166.46:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/vue-start-server:1.166.50:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/router-cli:1.166.49:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/router-generator:1.166.45:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/vue-start-client:1.166.49:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/router-devtools-core:1.167.6:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/router-generator:1.166.48:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/start-static-server-functions:1.166.44:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/router-plugin:1.167.38:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/router-plugin:1.167.41:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/router-ssr-query-core:1.168.3:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/router-ssr-query-core:1.168.6:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/solid-start:1.167.65:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/start-client-core:1.168.5:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/start-client-core:1.168.8:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/start-server-core:1.167.33:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/start-server-core:1.167.36:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/start-storage-context:1.166.38:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:tanstack:tanstack\\/start-storage-context:1.166.41:*:*:*:*:node.js:*:*"
            ],
            "extracted_events": [
              {
                "introduced": "1.166.12"
              },
              {
                "last_affected": "1.166.12"
              },
              {
                "introduced": "1.166.15"
              },
              {
                "last_affected": "1.166.15"
              },
              {
                "introduced": "0.0.4"
              },
              {
                "last_affected": "0.0.4"
              },
              {
                "introduced": "0.0.7"
              },
              {
                "last_affected": "0.0.7"
              },
              {
                "introduced": "1.154.12"
              },
              {
                "last_affected": "1.154.12"
              },
              {
                "introduced": "1.169.5"
              },
              {
                "last_affected": "1.169.5"
              },
              {
                "introduced": "1.169.8"
              },
              {
                "last_affected": "1.169.8"
              },
              {
                "introduced": "1.166.16"
              },
              {
                "last_affected": "1.166.16"
              },
              {
                "introduced": "1.166.19"
              },
              {
                "last_affected": "1.166.19"
              },
              {
                "introduced": "1.167.9"
              },
              {
                "last_affected": "1.167.9"
              },
              {
                "introduced": "1.166.18"
              },
              {
                "last_affected": "1.166.18"
              },
              {
                "introduced": "1.166.51"
              },
              {
                "last_affected": "1.166.51"
              },
              {
                "introduced": "1.166.47"
              },
              {
                "last_affected": "1.166.47"
              },
              {
                "introduced": "1.167.61"
              },
              {
                "last_affected": "1.167.61"
              },
              {
                "introduced": "1.167.64"
              },
              {
                "last_affected": "1.167.64"
              },
              {
                "introduced": "1.166.46"
              },
              {
                "last_affected": "1.166.46"
              },
              {
                "introduced": "1.166.50"
              },
              {
                "last_affected": "1.166.50"
              },
              {
                "introduced": "1.166.49"
              },
              {
                "last_affected": "1.166.49"
              },
              {
                "introduced": "1.166.45"
              },
              {
                "last_affected": "1.166.45"
              },
              {
                "introduced": "1.167.6"
              },
              {
                "last_affected": "1.167.6"
              },
              {
                "introduced": "1.166.48"
              },
              {
                "last_affected": "1.166.48"
              },
              {
                "introduced": "1.166.44"
              },
              {
                "last_affected": "1.166.44"
              },
              {
                "introduced": "1.167.38"
              },
              {
                "last_affected": "1.167.38"
              },
              {
                "introduced": "1.167.41"
              },
              {
                "last_affected": "1.167.41"
              },
              {
                "introduced": "1.168.3"
              },
              {
                "last_affected": "1.168.3"
              },
              {
                "introduced": "1.168.6"
              },
              {
                "last_affected": "1.168.6"
              },
              {
                "introduced": "1.167.65"
              },
              {
                "last_affected": "1.167.65"
              },
              {
                "introduced": "1.168.5"
              },
              {
                "last_affected": "1.168.5"
              },
              {
                "introduced": "1.168.8"
              },
              {
                "last_affected": "1.168.8"
              },
              {
                "introduced": "1.167.33"
              },
              {
                "last_affected": "1.167.33"
              },
              {
                "introduced": "1.167.36"
              },
              {
                "last_affected": "1.167.36"
              },
              {
                "introduced": "1.166.38"
              },
              {
                "last_affected": "1.166.38"
              },
              {
                "introduced": "1.166.41"
              },
              {
                "last_affected": "1.166.41"
              }
            ],
            "source": [
              "AFFECTED_FIELD",
              "CPE_STRING"
            ]
          },
          "events": [
            {
              "introduced": "91d10855e8dfe6bd09070eb6c5aa325451548df4"
            },
            {
              "last_affected": "dad0ec8f41fbc11a8c964604cdbbfa51ab1a40ae"
            }
          ],
          "repo": "https://github.com/tanstack/router",
          "type": "GIT"
        }
      ],
      "versions": [
        "0.0.4",
        "0.0.7",
        "0.3.2",
        "0.3.3",
        "0.5.3",
        "0.5.7",
        "0.6.2",
        "0.6.3",
        "0.8.1",
        "0.8.2",
        "0.8.4",
        "0.8.5",
        "1.154.12",
        "1.166.12",
        "1.166.15",
        "1.166.16",
        "1.166.18",
        "1.166.19",
        "1.166.38",
        "1.166.41",
        "1.166.46",
        "1.166.48",
        "1.166.49",
        "1.166.51",
        "1.167.33",
        "1.167.36",
        "1.167.38",
        "1.167.41",
        "1.167.6",
        "1.167.65",
        "1.168.3",
        "1.168.5",
        "1.168.6",
        "1.168.8",
        "1.169.5",
        "1.169.8"
      ]
    }
  ],
  "aliases": [
    "GHSA-g7cv-rxg3-hmpx"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-506"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45321.json",
    "unresolved_ranges": [
      {
        "extracted_events": [
          {
            "introduced": "1.161.9"
          },
          {
            "last_affected": "1.161.9"
          },
          {
            "introduced": "1.161.12"
          },
          {
            "last_affected": "1.161.12"
          },
          {
            "introduced": "1.161.9"
          },
          {
            "last_affected": "1.161.9"
          },
          {
            "introduced": "1.161.12"
          },
          {
            "last_affected": "1.161.12"
          },
          {
            "introduced": "1.154.15"
          },
          {
            "last_affected": "1.154.15"
          },
          {
            "introduced": "1.167.68"
          },
          {
            "last_affected": "1.167.68"
          },
          {
            "introduced": "1.167.71"
          },
          {
            "last_affected": "1.167.71"
          },
          {
            "introduced": "1.166.54"
          },
          {
            "last_affected": "1.166.54"
          },
          {
            "introduced": "0.0.47"
          },
          {
            "last_affected": "0.0.47"
          },
          {
            "introduced": "0.0.50"
          },
          {
            "last_affected": "0.0.50"
          },
          {
            "introduced": "1.166.55"
          },
          {
            "last_affected": "1.166.55"
          },
          {
            "introduced": "1.166.58"
          },
          {
            "last_affected": "1.166.58"
          },
          {
            "introduced": "1.161.11"
          },
          {
            "last_affected": "1.161.11"
          },
          {
            "introduced": "1.161.14"
          },
          {
            "last_affected": "1.161.14"
          },
          {
            "introduced": "1.166.53"
          },
          {
            "last_affected": "1.166.53"
          },
          {
            "introduced": "1.166.56"
          },
          {
            "last_affected": "1.166.56"
          },
          {
            "introduced": "1.167.68"
          },
          {
            "last_affected": "1.167.68"
          },
          {
            "introduced": "1.166.53"
          },
          {
            "last_affected": "1.166.53"
          },
          {
            "introduced": "1.166.54"
          },
          {
            "last_affected": "1.166.54"
          },
          {
            "introduced": "1.166.57"
          },
          {
            "last_affected": "1.166.57"
          },
          {
            "introduced": "1.161.9"
          },
          {
            "last_affected": "1.161.9"
          },
          {
            "introduced": "1.161.12"
          },
          {
            "last_affected": "1.161.12"
          },
          {
            "introduced": "1.169.23"
          },
          {
            "last_affected": "1.169.23"
          },
          {
            "introduced": "1.169.26"
          },
          {
            "last_affected": "1.169.26"
          },
          {
            "introduced": "1.161.10"
          },
          {
            "last_affected": "1.161.10"
          },
          {
            "introduced": "1.161.13"
          },
          {
            "last_affected": "1.161.13"
          },
          {
            "introduced": "1.166.53"
          },
          {
            "last_affected": "1.166.53"
          }
        ],
        "source": "AFFECTED_FIELD"
      }
    ]
  },
  "details": "On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target \"Pwn Request\" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.",
  "id": "CVE-2026-45321",
  "modified": "2026-07-08T05:39:16.172953364Z",
  "published": "2026-05-12T00:12:35.452Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-45321"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45321.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45321"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/TanStack/router/issues/7383"
    },
    {
      "type": "ARTICLE",
      "url": "https://tanstack.com/blog/npm-supply-chain-compromise-postmortem"
    },
    {
      "type": "ARTICLE",
      "url": "https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Malware in 42 @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys"
}