{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2265", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "state": "PUBLISHED", "assignerShortName": "certcc", "dateReserved": "2026-02-09T19:27:28.332Z", "datePublished": "2026-04-01T16:11:25.107Z", "dateUpdated": "2026-04-01T19:27:36.981Z"}, "containers": {"cna": {"title": "Replicator 1.0.5 is vulnerable to Remote Code Execution through Insecure Deserialization", "descriptions": [{"lang": "en", "value": "An unauthenticated remote code execution (RCE) vulnerability exists in applications that use the Replicator node package manager (npm) version 1.0.5 to deserialize untrusted user input and execute the resulting object."}], "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Replicator", "product": "Replicator", "versions": [{"status": "affected", "version": "1.0.5"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "references": [{"url": "https://github.com/inikulin/replicator"}, {"url": "https://github.com/inikulin/replicator/pull/19"}, {"url": "https://morielharush.github.io/2026/03/31/cve-2026-2265-replicator-deserialization-of-untrusted-data/"}], "x_generator": {"engine": "VINCE 3.0.35", "env": "prod", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-2265"}, "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-04-01T16:11:25.107Z"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T19:27:21.463751Z", "id": "CVE-2026-2265", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T19:27:36.981Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-2265", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T19:27:21.463751Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T19:27:32.498Z"}}], "cna": {"title": "Replicator 1.0.5 is vulnerable to Remote Code Execution through Insecure Deserialization", "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Replicator", "product": "Replicator", "versions": [{"status": "affected", "version": "1.0.5"}]}], "references": [{"url": "https://github.com/inikulin/replicator"}, {"url": "https://github.com/inikulin/replicator/pull/19"}, {"url": "https://morielharush.github.io/2026/03/31/cve-2026-2265-replicator-deserialization-of-untrusted-data/"}], "x_generator": {"env": "prod", "engine": "VINCE 3.0.35", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-2265"}, "descriptions": [{"lang": "en", "value": "An unauthenticated remote code execution (RCE) vulnerability exists in applications that use the Replicator node package manager (npm) version 1.0.5 to deserialize untrusted user input and execute the resulting object."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-04-01T16:11:25.107Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2265", "state": "PUBLISHED", "dateUpdated": "2026-04-01T19:27:36.981Z", "dateReserved": "2026-02-09T19:27:28.332Z", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "datePublished": "2026-04-01T16:11:25.107Z", "assignerShortName": "certcc"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An unauthenticated remote code execution (RCE) vulnerability exists in applications that use the Replicator node package manager (npm) version 1.0.5 to deserialize untrusted user input and execute the resulting object."}], "id": "CVE-2026-2265", "lastModified": "2026-04-01T20:16:24.350", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-01T17:28:38.410", "references": [{"source": "cret@cert.org", "url": "https://github.com/inikulin/replicator"}, {"source": "cret@cert.org", "url": "https://github.com/inikulin/replicator/pull/19"}, {"source": "cret@cert.org", "url": "https://morielharush.github.io/2026/03/31/cve-2026-2265-replicator-deserialization-of-untrusted-data/"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.5"}}], "enrichment": {"confidence": 84.0, "confidence_source": "matching", "scores": [{"score": 84.0, "source": "matching"}]}, "original": {"product": "Replicator", "source": "cna", "vendor": "Replicator"}, "product": "replicator", "vendor": "replicator_project"}], "analysis": {"en": {"generated_at": "2026-04-02T02:47:14.423025+00:00", "value": {"mitigation_remediation": ["Upgrade Replicator to a non\u2011vulnerable release that removes insecure deserialization of untrusted data.", "If an upgrade is not immediately possible, apply the patch described in pull request 19, or otherwise ensure that the application does not deserialize data supplied by untrusted sources."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is Replicator, version 1.0.5, used as a Node.js package manager. Systems incorporating this specific version are at risk; newer or older versions are not indicated as affected by the available data.", "description_and_impact": "An unauthenticated remote code execution vulnerability exists in the Replicator 1.0.5 npm package. The flaw arises when the application blindly deserializes untrusted user input, allowing an attacker to construct an object that triggers arbitrary code execution upon deserialization.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate severity, while no EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote and unauthenticated, as the description states that the flaw is triggered by deserializing untrusted user input. Successful exploitation would enable an attacker to run arbitrary code with the privileges of the application, compromising confidentiality, integrity, and availability of affected systems."}}}}, "created": "2026-04-02T07:48:52.373827+00:00", "updated": "2026-04-02T20:17:17.980880+00:00", "vendors": ["replicator_project", "replicator_project$PRODUCT$replicator"], "weaknesses": ["CWE-347"]}