47 matches found
CVE-2026-59195
pnpm is a package manager. Prior to 10.34.4 and 11.8.0, pnpm accepts package names from the env lockfile configDependencies section and uses those names directly when creating config dependency symlinks under nodemodules/.pnpm-config. A malicious repository can commit a crafted pnpm-lock.yaml who...
EUVD-2026-41882
pnpm is a package manager. Prior to 10.34.4 and 11.7.0, a crafted lockfile alias could be joined directly under a hoisted nodemodules directory. Traversal aliases could escape that directory, while reserved aliases such as .bin or .pnpm could overwrite pnpm-owned layout. This vulnerability is fix...
CVE-2026-59196
pnpm is a package manager. Prior to 10.34.4 and 11.7.0, a crafted lockfile alias could be joined directly under a hoisted nodemodules directory. Traversal aliases could escape that directory, while reserved aliases such as .bin or .pnpm could overwrite pnpm-owned layout. This vulnerability is fix...
CVE-2026-50021
A flaw was found in pnpm, a package manager. An attacker who can modify the pnpm-lock.yaml file and control the package registry can exploit this vulnerability. By removing the integrity field from the lockfile and serving altered package content, the pnpm install --frozen-lockfile command can...
External Control of File Name or Path
Overview pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to External Control of File Name or Path via the lockfile alias handling process. An attacker can overwrite files or directories outside the intended nodemodules directory by crafting a...
EUVD-2026-39485
pnpm: Reserved bin name deletes PNPMHOME during global remove...
EUVD-2026-39498
pnpm: Repository config can expand victim environment secrets into registry requests before scripts run...
EUVD-2026-39495
pnpm binds unscoped user-level npm auth credentials to a repository-selected registry...
pnpm: Git Fetch Argument Injection via Lockfile resolution.commit
Summary pnpm passes the lockfile-controlled git resolution.commit value to git fetch without a -- separator or commit-format validation. For git dependencies fetched through the shallow-fetch path, a malicious lockfile can replace the expected 40-character commit hash with a Git option such as...
CVE-2026-55697
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can install configDependencies declared in pnpm-workspace.yaml before command dispatch. Before the patch, a repository could declare pacquet or @pnpm/pacquet as a config dependency and pnpm treated that repository-controlled dependency ...
CVE-2026-48995
pnpm is a package manager. Prior to 10.33.4 and 11.0.7, a malicious codeload.github.com server can serve whatever tarball it wants and pnpm will install it regardless of the lockfile. The lockfile does not store the hash of the dependencies from https://codeload.github.com. This means that if thi...
CVE-2026-55180
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm and pacquet expanded $ENVVAR placeholders from repository-controlled .npmrc and pnpm-workspace.yaml into registry request destinations and registry credentials. A malicious repository could cause dependency resolution to send victim...
CVE-2026-55698
pnpm advisory (CVE-2026-55698) affects pnpm by allowing a crafted env lockfile in pnpm-lock.yaml to bypass fresh package-manager resolution and cause installation of bytes selected by the lockfile state. The issue occurs prior to 10.34.2 and 11.5.3, which have fixed the vulnerability. The vulnera...
PT-2026-52523
Name of the Vulnerable Software and Affected Versions pnpm versions prior to 10.34.2 pnpm versions 11.0.0 through 11.5.2 Description pnpm can persist package-manager bootstrap metadata in the first YAML document of the pnpm-lock.yaml file. The issue occurs when pnpm incorrectly trusts an already...
PT-2026-52513
Name of the Vulnerable Software and Affected Versions pnpm versions prior to 10.34.0 pnpm versions prior to 11.4.0 Description pnpm passes the git resolution.commit value from the lockfile to the git fetch command without using a -- separator or performing commit-format validation. When git...
PT-2026-52514
Name of the Vulnerable Software and Affected Versions pnpm versions prior to 10.34.0 pnpm versions prior to 11.4.0 Description The patch application pipeline @pnpm/patch-package fails to validate file paths extracted from .patch files. An attacker can provide a malicious patch file containing...
CVE-2026-23890
A flaw was found in pnpm, a package manager. A remote attacker can exploit a path traversal vulnerability by crafting malicious npm packages. This vulnerability allows the attacker to bypass validation by using bin names starting with an "@" symbol, enabling them to create executable shims or...
CVE-2026-24056
pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a file: directory or git: dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path e.g., /etc/passwd,...
CVE-2026-24131
pnpm is a package manager. Prior to version 10.28.2, when pnpm processes a package's directories.bin field, it uses path.join without validating the result stays within the package root. A malicious npm package can specify "directories": "bin": "../../../../tmp" to escape the package directory,...
EUVD-2026-4653
pnpm is a package manager. Prior to version 10.28.2, when pnpm processes a package's directories.bin field, it uses path.join without validating the result stays within the package root. A malicious npm package can specify "directories": "bin": "../../../../tmp" to escape the package directory,...