Arbitrary Command Execution Vulnerability in Turborepo LSP for VS Code by Vercel
CVE-2026-46508

8.4HIGH

Key Information:

Vendor: Vercel
Status: Turborepo
Vendor: CVE Published:; 15 May 2026

What is CVE-2026-46508?

The Turborepo LSP VS Code extension prior to version 2.9.14000 contains a vulnerability that allows for arbitrary command execution. This occurs when the extension utilizes string-based command execution for executing tasks, which can be exploited by maliciously crafted values from workspace settings or task names. When a user activates the extension or triggers a task, these values are interpolated into shell commands, enabling unauthorized command execution with the privileges of the local VS Code process. The vulnerability highlights the risks associated with workspace-controlled values and underscores the importance of using secure coding practices in extensions and plugins.

Affected Version(s)

turborepo < 2.9.14000

References

https://github.com/vercel/turborepo/security/advisories/G...

x_refsource_CONFIRM

CVSS V4

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2026
Vulnerability Reserved
May 14, 2026

CVE-2026-46508 Data

JSON