Lucene search
K

19 matches found

RedhatCVE
RedhatCVE
added 3 days ago7 views

CVE-2026-48995

A flaw was found in pnpm, a package manager. This vulnerability allows a remote attacker to serve malicious software packages if the codeload.github.com server is compromised or a user's machine configuration is tampered with. The issue arises because pnpm does not verify the integrity of...

7.5CVSS6.5AI score0.00116EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 3 days ago7 views

CVE-2026-50021

A flaw was found in pnpm, a package manager. An attacker who can modify the pnpm-lock.yaml file and control the package registry can exploit this vulnerability. By removing the integrity field from the lockfile and serving altered package content, the pnpm install --frozen-lockfile command can...

8.1CVSS6.3AI score0.00126EPSS
Exploits1References4
EUVD
EUVD
added 2026/06/26 10:53 p.m.10 views

EUVD-2026-39488

pnpm Has an Integrity Check Bypass via Missing Lockfile Integrity Field...

6.8CVSS5.8AI score0.00126EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/06/26 10:53 p.m.7 views

pnpm Has an Integrity Check Bypass via Missing Lockfile Integrity Field

Summary pnpm's tarball extraction worker skips integrity verification when the integrity field is absent from the lockfile resolution. If an attacker can both modify pnpm-lock.yaml to remove the integrity: field and cause the referenced registry URL to serve altered package content, pnpm install...

8.1CVSS5.8AI score0.00126EPSS
Exploits1References3Affected Software1
NVD
NVD
added 2026/06/25 6:16 p.m.10 views

CVE-2026-50021

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's tarball extraction worker skips integrity verification when the integrity field is absent from the lockfile resolution. If an attacker can both modify pnpm-lock.yaml to remove the integrity: field and cause the referenced registry URL...

8.1CVSS0.00126EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/06/25 4:48 p.m.34 views

CVE-2026-50021 pnpm: Integrity Check Bypass via Missing Lockfile Integrity Field

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's tarball extraction worker skips integrity verification when the integrity field is absent from the lockfile resolution. If an attacker can both modify pnpm-lock.yaml to remove the integrity: field and cause the referenced registry URL...

6.8CVSS0.00126EPSS
Exploits1References1
CVE
CVE
added 2026/06/25 4:48 p.m.22 views

CVE-2026-50021

pnpm has an integrity check bypass when the integrity field is missing from the lockfile. Concrete details from the connected docs show that prior to versions 10.34.0 and 11.4.0, pnpm’s tarball extraction worker skips tarball hash verification if integrity is undefined, allowing an attacker who c...

8.1CVSS5.9AI score0.00126EPSS
Exploits1References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/25 12:0 a.m.16 views

PT-2026-52517

Name of the Vulnerable Software and Affected Versions pnpm versions prior to 10.34.0 pnpm versions prior to 11.4.0 Description The tarball extraction worker in the pnpm package manager fails to perform integrity verification when the integrity field is missing from the lockfile resolution. This...

6.8CVSS5.8AI score0.00126EPSS
Exploits1References6
Positive Technologies
Positive Technologies
added 2026/06/25 12:0 a.m.19 views

PT-2026-52518

Name of the Vulnerable Software and Affected Versions pnpm versions prior to 10.34.0 pnpm versions prior to 11.4.0 Description When running pnpm install in non-frozen mode, the package manager may accept new remote package content even after detecting that the downloaded tarball does not match th...

6.8CVSS5.8AI score0.00113EPSS
Exploits1References6
NVD
NVD
added 2026/04/30 7:16 p.m.18 views

CVE-2026-32148

Insufficient Verification of Data Authenticity vulnerability in hexpm hex Hex.RemoteConverger module allows dependency integrity bypass via unverified lockfile checksums. Hex stores checksums for dependencies in the mix.lock file to ensure reproducible and integrity-checked builds. However,...

8.9CVSS0.00191EPSS
Exploits1References4
CVE
CVE
added 2026/04/30 6:17 p.m.10 views

CVE-2026-32148

Summary (technical) : The Hex package manager (Hex.RemoteConverger) has a data-authenticity vulnerability where mix.lock checksums are not verified due to a type mismatch: Hex.Utils.lock/1 returns string-based dependency names while verification expects atom-based names, causing silent bypass of ...

8.9CVSS5.4AI score0.00191EPSS
Exploits1References4Affected Software1
NVD
NVD
added 2026/01/07 10:15 p.m.11 views

CVE-2025-69263

pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies and git-hosted tarballs in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package...

8.8CVSS0.0031EPSS
Exploits1References5
Cvelist
Cvelist
added 2026/01/07 9:31 p.m.23 views

CVE-2025-69263 pnpm Lockfile Integrity Bypass Allows Remote Dynamic Dependencies

pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies and git-hosted tarballs in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package...

7.5CVSS0.0031EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/01/07 9:31 p.m.4 views

CVE-2025-69263 pnpm Lockfile Integrity Bypass Allows Remote Dynamic Dependencies

pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies and git-hosted tarballs in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package...

7.5CVSS6.7AI score0.0031EPSS
Exploits1References2
EUVD
EUVD
added 2026/01/07 9:31 p.m.4 views

EUVD-2026-1190

pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies and git-hosted tarballs in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package...

7.5CVSS6.5AI score0.0031EPSS
Exploits1References3
OSV
OSV
added 2026/01/07 9:31 p.m.7 views

CVE-2025-69263 pnpm Lockfile Integrity Bypass Allows Remote Dynamic Dependencies

pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies and git-hosted tarballs in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package...

7.5CVSS6.9AI score0.0031EPSS
Exploits1References7
OSV
OSV
added 2026/01/07 7:6 p.m.9 views

GHSA-7VHP-VF5G-R2FW pnpm Has Lockfile Integrity Bypass that Allows Remote Dynamic Dependencies

Summary HTTP tarball dependencies and git-hosted tarballs are stored in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. Details When a package depends on an HTTP tarball URL, pnpm's tarball resolve...

7.5CVSS6.9AI score0.0031EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/01/07 7:6 p.m.13 views

pnpm Has Lockfile Integrity Bypass that Allows Remote Dynamic Dependencies

Summary HTTP tarball dependencies and git-hosted tarballs are stored in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. Details When a package depends on an HTTP tarball URL, pnpm's tarball resolve...

8.8CVSS7AI score0.0031EPSS
Exploits1References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/01/07 12:0 a.m.7 views

PT-2026-1940

Name of the Vulnerable Software and Affected Versions pnpm versions 10.26.2 and below Description pnpm, a package manager, stores HTTP tarball dependencies and git-hosted tarballs in the lockfile without integrity hashes in versions 10.26.2 and below. This allows a remote server to deliver...

8.8CVSS6.3AI score0.0031EPSS
Exploits1References17
Rows per page
Query Builder