2 matches found
EUVD-2026-4656
pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of nodemodules/.bin. Bin names starting with @ bypass validation, and after scope normalization, path traversal...
Relative Path Traversal
Overview @pnpm/package-bins is a that returns bins of a package. Affected versions of this package are vulnerable to Relative Path Traversal via the commandsFromBin function when performing bin name validation and normalization. An attacker can create or overwrite arbitrary files outside the...