CVE-2026-24910
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-27

Last updated on: 2026-01-27

Assigner: MITRE

Description
In Bun before 1.3.5, the default trusted dependencies list (aka trust allow list) can be spoofed by a non-npm package in the case of a matching name (for file, link, git, or github).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-27
Last Modified
2026-01-27
Generated
2026-06-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24910
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
unknown_vendor bun to 1.3.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-348 The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
AI Quick Actions have not been generated yet.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24910. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart