Lucene search
K

9 matches found

RedhatCVE
RedhatCVE
added 2026/07/06 3:10 p.m.5 views

CVE-2026-55180

A flaw was found in pnpm and pacquet. A malicious repository could exploit this vulnerability by crafting specific .npmrc or pnpm-workspace.yaml files. When these package managers process these files, they improperly expand environment variable placeholders, leading to the disclosure of sensitive...

6.5CVSS5.8AI score0.00212EPSS
Exploits1References4
OSV
OSV
added 2026/06/27 12:2 a.m.6 views

GHSA-FR4H-3CPH-29XV pnpm: Hoisted install imports lockfile alias outside node_modules

Summary The hoisted dependency alias issue tracked as GHSA-fr4h-3cph-29xv / CAND-PNPM-059 has been addressed in both pnpm and pacquet. A crafted lockfile alias could be joined directly under a hoisted nodemodules directory. Traversal aliases could escape that directory, while reserved aliases suc...

7.1CVSS5.8AI score0.00262EPSS
Exploits1References2
OSV
OSV
added 2026/06/26 11:20 p.m.4 views

GHSA-GJ8W-MVPF-X27X pnpm: Repository-controlled configDependencies can select a pacquet native install engine

Maintainer Action Plan This report is ready to review with the shared patch branch. Start with the PR and the expected fixed behavior, then use the detailed exploit narrative below only if you want to replay the original path. - Advisory: CAND-PNPM-097 / GHSA-gj8w-mvpf-x27x - Advisory URL:...

7.5CVSS6.1AI score0.00127EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2026/06/26 11:20 p.m.21 views

pnpm: Repository-controlled configDependencies can select a pacquet native install engine

Maintainer Action Plan This report is ready to review with the shared patch branch. Start with the PR and the expected fixed behavior, then use the detailed exploit narrative below only if you want to replay the original path. - Advisory: CAND-PNPM-097 / GHSA-gj8w-mvpf-x27x - Advisory URL:...

8.8CVSS6.1AI score0.00127EPSS
Exploits1References3Affected Software1
NVD
NVD
added 2026/06/25 6:16 p.m.9 views

CVE-2026-55697

pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can install configDependencies declared in pnpm-workspace.yaml before command dispatch. Before the patch, a repository could declare pacquet or @pnpm/pacquet as a config dependency and pnpm treated that repository-controlled dependency ...

8.8CVSS0.00127EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/06/25 4:42 p.m.23 views

CVE-2026-55697

pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can install configDependencies declared in pnpm-workspace.yaml before command dispatch. Before the patch, a repository could declare pacquet or @pnpm/pacquet as a config dependency and pnpm treated that repository-controlled dependency ...

7.5CVSS5.9AI score0.00127EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/06/25 4:42 p.m.29 views

CVE-2026-55697 pnpm: Repository-controlled configDependencies can select a pacquet native install engine

pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can install configDependencies declared in pnpm-workspace.yaml before command dispatch. Before the patch, a repository could declare pacquet or @pnpm/pacquet as a config dependency and pnpm treated that repository-controlled dependency ...

7.5CVSS0.00127EPSS
Exploits1References1
CVE
CVE
added 2026/06/25 4:42 p.m.14 views

CVE-2026-55697

pnpm is vulnerable prior to 10.34.2 and 11.5.3: repository‑controlled configDependencies in pnpm-workspace.yaml could cause pnpm to install a repository‑controlled install‑engine (pacquet) by resolving a platform‑specific @pacquet/-/pacquet binary from node_modules/.pnpm-config and spawning it as...

8.8CVSS5.9AI score0.00127EPSS
Exploits1References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/25 12:0 a.m.13 views

PT-2026-52522

Name of the Vulnerable Software and Affected Versions pnpm versions prior to 10.34.2 pnpm versions prior to 11.5.3 Description pnpm allows the installation of configDependencies declared in pnpm-workspace.yaml before command dispatch. A repository can declare pacquet or @pnpm/pacquet as a config...

8.8CVSS5.8AI score0.00127EPSS
Exploits1References9
Rows per page
Query Builder