U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Vulnerability Change Records for CVE-2026-42349

Change History

Initial Analysis by NIST 6/01/2026 12:33:43 PM

Action Type Old Value New Value
Added CVSS V3.1

                  
                
              
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Added CPE Configuration

                  
                
              
OR
          *cpe:2.3:a:clerk:clerk/astro:*:*:*:*:*:node.js:*:* versions from (including) 2.0.0 up to (excluding) 2.17.11
          *cpe:2.3:a:clerk:clerk/astro:*:*:*:*:*:node.js:*:* versions from (including) 3.0.0 up to (excluding) 3.0.18
          *cpe:2.3:a:clerk:clerk/backend:*:*:*:*:*:node.js:*:* versions from (including) 2.0.0 up to (excluding) 2.33.3
          *cpe:2.3:a:clerk:clerk/chrome-extension:*:*:*:*:*:node.js:*:* versions from (including) 1.3.5 up to (excluding) 2.9.15
          *cpe:2.3:a:clerk:clerk/chrome-extension:*:*:*:*:*:node.js:*:* versions from (including) 3.0.0 up to (excluding) 3.1.15
          *cpe:2.3:a:clerk:clerk/clerk-expo:*:*:*:*:*:node.js:*:* versions from (including) 2.2.11 up to (excluding) 2.19.36
          *cpe:2.3:a:clerk:clerk/clerk-js:*:*:*:*:*:node.js:*:* versions from (including) 5.22.0 up to (excluding) 5.125.10
          *cpe:2.3:a:clerk:clerk/clerk-js:*:*:*:*:*:node.js:*:* versions from (including) 6.0.0 up to (excluding) 6.7.5
          *cpe:2.3:a:clerk:clerk/clerk-react:*:*:*:*:*:node.js:*:* versions from (including) 5.9.0 up to (excluding) 5.61.6
          *cpe:2.3:a:clerk:clerk/expo:*:*:*:*:*:node.js:*:* versions from (including) 3.0.0 up to (excluding) 3.2.2
          *cpe:2.3:a:clerk:clerk/express:*:*:*:*:*:node.js:*:* versions from (including) 0.1.0 up to (excluding) 1.7.79
          *cpe:2.3:a:clerk:clerk/express:*:*:*:*:*:node.js:*:* versions from (including) 2.0.0 up to (excluding) 2.1.6
          *cpe:2.3:a:clerk:clerk/fastify:*:*:*:*:*:node.js:*:* versions from (including) 1.0.42 up to (excluding) 2.6.31
          *cpe:2.3:a:clerk:clerk/fastify:*:*:*:*:*:node.js:*:* versions from (including) 3.0.0 up to (excluding) 3.1.16
          *cpe:2.3:a:clerk:clerk/hono:*:*:*:*:*:node.js:*:* versions from (including) 0.0.2 up to (excluding) 0.1.16
          *cpe:2.3:a:clerk:clerk/nextjs:*:*:*:*:*:node.js:*:* versions from (including) 6.0.0 up to (including) 6.39.3
          *cpe:2.3:a:clerk:clerk/nextjs:*:*:*:*:*:node.js:*:* versions from (including) 7.0.0 up to (excluding) 7.2.4
          *cpe:2.3:a:clerk:clerk/nuxt:*:*:*:*:*:node.js:*:* versions from (including) 1.0.0 up to (excluding) 1.13.29
          *cpe:2.3:a:clerk:clerk/react:*:*:*:*:*:node.js:*:* versions from (including) 6.0.0 up to (excluding) 6.4.3
          *cpe:2.3:a:clerk:clerk/react-router:*:*:*:*:*:node.js:*:* versions from (including) 0.0.1 up to (excluding) 2.4.13
          *cpe:2.3:a:clerk:clerk/react-router:*:*:*:*:*:node.js:*:* versions from (including) 3.0.0 up to (excluding) 3.1.4
          *cpe:2.3:a:clerk:clerk/shared:*:*:*:*:*:node.js:*:* versions from (including) 3.0.0 up to (excluding) 3.47.5
          *cpe:2.3:a:clerk:clerk/shared:*:*:*:*:*:node.js:*:* versions from (including) 4.0.0 up to (excluding) 4.8.3
          *cpe:2.3:a:clerk:clerk/tanstack-react-start:*:*:*:*:*:node.js:*:* versions from (including) 0.0.1 up to (excluding) 0.29.11
          *cpe:2.3:a:clerk:clerk/tanstack-react-start:*:*:*:*:*:node.js:*:* versions from (including) 1.0.0 up to (excluding) 1.1.4
          *cpe:2.3:a:clerk:clerk/vue:*:*:*:*:*:node.js:*:* versions from (including) 1.0.0 up to (excluding) 1.17.21
          *cpe:2.3:a:clerk:clerk/vue:*:*:*:*:*:node.js:*:* versions from (including) 2.0.0 up to (excluding) 2.0.16
          *cpe:2.3:a:clerk:clerk/backend:*:*:*:*:*:node.js:*:* versions from (including) 3.0.0 up to (excluding) 3.2.14
          *cpe:2.3:a:clerk:clerk/nuxt:*:*:*:*:*:node.js:*:* versions from (including) 2.0.0 up to (excluding) 2.2.5
Added Reference Type

                  
                
              
CISA-ADP: https://github.com/clerk/javascript/security/advisories/GHSA-w24r-5266-9c3c Types: Mitigation, Vendor Advisory
Added Reference Type

                  
                
              
GitHub, Inc.: https://github.com/clerk/javascript/security/advisories/GHSA-w24r-5266-9c3c Types: Mitigation, Vendor Advisory