PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46508 vercel CVE debrief

CVE-2026-46508 is a high-severity (CVSS 8.4) command injection vulnerability in the Turborepo Language Server Protocol (LSP) VS Code extension, published 2026-05-15 and last modified 2026-05-19. The extension, prior to version 2.9.14000, used string-based command execution for daemon commands and task runs, allowing malicious workspace-controlled values—such as crafted task names or workspace settings—to be interpolated into shell commands. When the extension activated or executed tasks, these values could be interpreted by the user's shell, resulting in arbitrary command execution with the privileges of the local VS Code process. The vulnerability is classified as CWE-77 (Command Injection) and has been remediated in version 2.9.14000. No known exploitation in the wild or ransomware campaign use has been reported.

Vendor
vercel
Product
turborepo
CVSS
HIGH 8.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-15
Original CVE updated
2026-05-19
Advisory published
2026-05-15
Advisory updated
2026-05-19

Who should care

Developers using the Turborepo LSP VS Code extension, particularly those working with repositories from external or untrusted sources. Security teams managing developer tooling and IDE extensions. Organizations with developers using Turborepo for JavaScript/TypeScript monorepo management.

Technical summary

The Turborepo LSP VS Code extension executed shell commands using string interpolation of workspace-controlled values. Malicious repositories could inject arbitrary shell commands through crafted task names or workspace settings, which would execute when the extension activated or ran tasks. The vulnerability required local access and user interaction (opening a workspace), but resulted in high impact to confidentiality, integrity, and availability of the VS Code process.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade the Turborepo LSP VS Code extension to version 2.9.14000 or later.
  • Review workspace settings and task configurations in untrusted repositories before opening them in VS Code.
  • Exercise caution when opening workspaces from untrusted sources, as malicious task names or settings could trigger command execution.
  • Verify extension version via VS Code's Extensions panel and enable automatic updates for security patches.

Evidence notes

CVSS 4.0 vector: AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Affected versions: all versions prior to 2.9.14000 of the Turborepo LSP extension for Visual Studio Code. CPE: cpe:2.3:a:vercel:turborepo_language_server_protocol:*:*:*:*:*:visual_studio_code:*:*.

Official resources

The vulnerability was disclosed via GitHub Security Advisory and subsequently analyzed by NVD. The vendor advisory was published concurrently with the CVE record on 2026-05-15, with NVD analysis completed by 2026-05-19.