THREAT WATCH
High Microsoft Active Directory Federation Services: CVE-2026-56155 — Microsoft Active Directory Federation Services Insufficient Granularity of Access Control Vulnerability Medium Microsoft SharePoint Server: CVE-2026-56164 — Microsoft SharePoint Server Missing Authentication for Critical Function Vulnerability Critical SonicWall SMA1000 Appliances: CVE-2026-15409 — SonicWall SMA1000 Appliances Server-Side Request Forgery Vulnerability Actively Exploited SonicWall SMA1000 Appliances: CVE-2026-15410 — SonicWall SMA1000 Appliances Code Injection Vulnerability Medium Cisco IOS: CVE-2008-4128 — Cisco IOS Cross-Site Request Forgery Vulnerability Critical Balbooa Forms: CVE-2026-56291 — Balbooa Forms Unrestricted Upload of File with Dangerous Type Vulnerability Critical iCagenda iCagenda: CVE-2026-48939 — iCagenda Unrestricted Upload of File with Dangerous Type Vulnerability Critical JoomShaper SP Page Builder: CVE-2026-48908 — JoomShaper SP Page Builder Unrestricted Upload of File with Dangerous Type Vulnerability High Microsoft Active Directory Federation Services: CVE-2026-56155 — Microsoft Active Directory Federation Services Insufficient Granularity of Access Control Vulnerability Medium Microsoft SharePoint Server: CVE-2026-56164 — Microsoft SharePoint Server Missing Authentication for Critical Function Vulnerability Critical SonicWall SMA1000 Appliances: CVE-2026-15409 — SonicWall SMA1000 Appliances Server-Side Request Forgery Vulnerability Actively Exploited SonicWall SMA1000 Appliances: CVE-2026-15410 — SonicWall SMA1000 Appliances Code Injection Vulnerability Medium Cisco IOS: CVE-2008-4128 — Cisco IOS Cross-Site Request Forgery Vulnerability Critical Balbooa Forms: CVE-2026-56291 — Balbooa Forms Unrestricted Upload of File with Dangerous Type Vulnerability Critical iCagenda iCagenda: CVE-2026-48939 — iCagenda Unrestricted Upload of File with Dangerous Type Vulnerability Critical JoomShaper SP Page Builder: CVE-2026-48908 — JoomShaper SP Page Builder Unrestricted Upload of File with Dangerous Type Vulnerability

CVE-2026-45321 — TanStack Unspecified Vulnerability

Back to Threat Intel Dashboard
Critical CVSS 9.6 Actively exploited · CISA KEV ⚠ Used in Ransomware Campaigns

TanStack TanStack

CVE-2026-45321 Added May 27, 2026 Remediation deadline has passed
TL;DR

TanStack TanStack is affected by a critical-severity vulnerability (CVE-2026-45321) that is confirmed to be actively exploited in the wild. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

What is this vulnerability?

On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.

How it works

This is classified as CWE-506. In plain terms, an attacker could use this flaw in TanStack to gain access, disrupt service, or steal data — the exact impact depends on how it’s deployed in your environment.

CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Required action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Mitigations

  • Apply the vendor’s security patch or update as soon as it’s available and tested.
  • If no patch exists yet, apply the vendor’s temporary workaround.
  • Limit network exposure of the affected system until it’s patched.
  • Review logs for signs of prior exploitation, especially if it’s flagged for ransomware use.

Recommendations

  • Confirm whether TanStack TanStack is used anywhere in your environment.
  • Patch internet-facing systems first, then internal ones.
  • Set a reminder ahead of the remediation deadline so it doesn’t slip.
  • Subscribe to the vendor’s security advisories for earlier warning next time.

Compiled from public threat intelligence (CISA Known Exploited Vulnerabilities catalog and the National Vulnerability Database, referenced in 5 public advisories).