ON 27 May 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE‑2026‑45321 to its Known Exploited Vulnerabilities (KEV) catalogue. The entry concerns TanStack’s TanStack product, which contains an unspecified vulnerability that allowed malicious versions of the product to be published to the npm registry to distribute credential‑stealing malware under a trusted identity.
The vulnerability is an unspecified flaw in the TanStack component that enables an attacker to publish a tampered package to npm, thereby executing arbitrary code on systems that install the compromised version. This can lead to credential theft and further system compromise. The Common Vulnerability Scoring System (CVSS) v3.1 scores the flaw at 9.6, rating it as Critical. A patch is available from the vendor. The flaw resides in an open‑source component that may be used as a dependency in various products.
Because the flaw is listed in the KEV catalogue, CISA confirms that it is being actively exploited in the wild. No public reports link this vulnerability to ransomware campaigns at this time. Federal civilian executive branch (FCEB) agencies must remediate the issue by 10 June 2026, the date set by CISA.
CISA’s required action is to apply mitigations per vendor instructions, follow applicable Binding Operational Directive (BOD) 22‑01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. While the directive binds FCEB agencies, all organisations should review their use of TanStack components and apply the available patch or equivalent mitigations. Organisations should also check any downstream applications that incorporate the TanStack router package.
For full details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-45321 and the CISA KEV catalogue.