CVE-2026-34841 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2026-34841

CVE-2026-34841

Published:April 06, 2026

Updated:April 20, 2026

Bruno is an open source IDE for exploring and testing APIs. Prior to 3.2.1, Bruno was affected by a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT). Users of @usebruno/cli who ran npm install between 00:21 UTC and ~03:30 UTC on March 31, 2026 may have been impacted. Upgrade to 3.2.1

Affected Packages

@usebruno/cli (NPM):

Affected version(s) >=0.1.0 <3.2.1

Fix Suggestion:

Update to version 3.2.1

Related Resources (7)

https://github.com/advisories/GHSA-fw8c-xr5c-95f9

https://nvd.nist.gov/vuln/detail/CVE-2026-34841

https://github.com/usebruno/bruno

https://github.com/usebruno/bruno/pull/7632

https://github.com/axios/axios/issues/10604

https://github.com/usebruno/bruno/security/advisories/GHSA-658g-p7jg-wx5g

https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat

Do you need more information?

CVSS v4

Base Score:

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Weakness Type (CWE)

Dependency on Vulnerable Third-Party Component

CWE-1395

Download of Code Without Integrity Check

CWE-494

Embedded Malicious Code

CWE-506

EPSS

Base Score:

0.02

Products

Solutions

Resources

Company

Compare

Developer Tools