GHSA-2gmp-34j9-fqjm

Source

https://github.com/advisories/GHSA-2gmp-34j9-fqjm

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-2gmp-34j9-fqjm/GHSA-2gmp-34j9-fqjm.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2gmp-34j9-fqjm

Aliases

CVE-2026-2265

Published

2026-04-01T18:36:38Z

Modified

2026-04-03T23:31:26.407763Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Replicator deserializes untrusted user input

Details

An unauthenticated Remote Code Execution (RCE) vulnerability exists in applications that use the Replicator node package manager (npm) version 1.0.5 to deserialize untrusted user input and execute the resulting object.

Database specific

{
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-03T23:15:20Z",
    "nvd_published_at": "2026-04-01T17:28:38Z"
}

References

Affected packages

npm / replicator

Package

Name: replicator; View open source insights on deps.dev
Purl: pkg:npm/replicator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.0.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-2gmp-34j9-fqjm/GHSA-2gmp-34j9-fqjm.json"