CVE-2026-2265

MEDIUM

Replicator 1.0.5 is vulnerable to Remote Code Execution through Insecure Deserialization

Title source: cna
STIX 2.1

Description

An unauthenticated remote code execution (RCE) vulnerability exists in applications that use the Replicator node package manager (npm) version 1.0.5 to deserialize untrusted user input and execute the resulting object.

Scores

CVSS v3 6.5
EPSS 0.0037
EPSS Percentile 28.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

Status published
Products (2)
npm/replicator 0npm
Replicator/Replicator 1.0.5
Published Apr 01, 2026
Tracked Since Apr 01, 2026