VYPR
Medium severity5.9NVD Advisory· Published Jan 27, 2026· Updated Apr 15, 2026

CVE-2026-24910

CVE-2026-24910

Description

In Bun before 1.3.5, the default trusted dependencies list (aka trust allow list) can be spoofed by a non-npm package in the case of a matching name (for file, link, git, or github).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

1

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.