CVE-2026-45321 @tanstack CVE debrief

Who should care

Organizations using TanStack libraries or frameworks in production environments, particularly those subject to CISA BOD 22-01 compliance requirements or operating in sectors targeted by ransomware campaigns.

Technical summary

CVE-2026-45321 represents an unspecified critical vulnerability in TanStack products. CISA has confirmed known ransomware campaign use and assigned a remediation due date of June 10, 2026. The vulnerability carries a CVSS score of 9.6. Specific technical details regarding the vulnerability class, affected versions, and attack vectors are not available in the disclosed sources. Organizations using TanStack components should consult vendor security advisories for definitive patching guidance.

Defensive priority

CRITICAL

Recommended defensive actions

• Apply vendor-provided mitigations as soon as possible, per CISA KEV required action guidance
• Follow applicable Binding Operational Directive 22-01 guidance for cloud services where TanStack components are deployed
• Discontinue use of affected TanStack products if vendor mitigations are unavailable
• Monitor TanStack security advisories for specific patch availability and version guidance
• Review environments for TanStack component usage to determine exposure scope

Evidence notes

CISA KEV entry confirms active exploitation with known ransomware campaign use. CVSS 9.6 CRITICAL severity. Specific vulnerability type and affected component versions are not detailed in available sources.

Official resources