Security Advisory

CVE-2026-24910

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-01-27 22:26:26

Last updated 2026-01-28 21:19:54

Assigner mitre

State PUBLISHED

Description

In Bun before 1.3.5, the default trusted dependencies list (aka trust allow list) can be spoofed by a non-npm package in the case of a matching name (for file, link, git, or github).

← Browse all CVEs View on cve.org ↗