CVE-2026-2265

MEDIUM

Replicator 1.0.5 is vulnerable to Remote Code Execution through Insecure Deserialization

Title source: cna

Description

An unauthenticated remote code execution (RCE) vulnerability exists in applications that use the Replicator node package manager (npm) version 1.0.5 to deserialize untrusted user input and execute the resulting object.

References (3)

https://github.com/inikulin/replicator

View Writeup ZIP pw:eip

https://github.com/inikulin/replicator/pull/19

https://morielharush.github.io/2026/03/31/cve-2026-2265-replicator-deserialization-of-untrusted-data/

Scores

CVSS v3 6.5

EPSS 0.0011

EPSS Percentile 28.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

Status published

Products (2)

npm/replicator 0npm

Replicator/Replicator 1.0.5

Published Apr 01, 2026

Tracked Since Apr 01, 2026