Lucene search
K

5 matches found

CVE
CVE
added 2026/06/25 4:44 p.m.21 views

CVE-2026-55699

CVE-2026-55699 affects pnpm. Prior to versions 10.34.2 and 11.5.3, manifest bin object keys such as "", ".", and ".." could bypass the bin-name guard. In a scenario where a malicious global package is installed, downstream global remove/update/add-replacement flows could re-derive those names and...

6.5CVSS5.9AI score0.00286EPSS
Exploits1References1Affected Software1
RedhatCVE
RedhatCVE
added 2026/01/27 4:59 a.m.8 views

CVE-2026-23890

A flaw was found in pnpm, a package manager. A remote attacker can exploit a path traversal vulnerability by crafting malicious npm packages. This vulnerability allows the attacker to bypass validation by using bin names starting with an "@" symbol, enabling them to create executable shims or...

6.5CVSS6.3AI score0.00438EPSS
Exploits1References6
ATTACKERKB
ATTACKERKB
added 2026/01/26 9:53 p.m.3 views

CVE-2026-23890

pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of nodemodules/.bin. Bin names starting with @ bypass validation, and after scope normalization, path traversal...

6.5CVSS5.9AI score0.00438EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/01/26 9:2 p.m.5 views

GHSA-XPQM-WM3M-F34H pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin

Summary A path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of nodemodules/.bin. Bin names starting with @ bypass validation, and after scope normalization, path traversal sequences like ../../ remain intact. Details Th...

6.5CVSS5.9AI score0.00438EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2026/01/26 9:2 p.m.8 views

pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin

Summary A path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of nodemodules/.bin. Bin names starting with @ bypass validation, and after scope normalization, path traversal sequences like ../../ remain intact. Details Th...

6.5CVSS5.9AI score0.00438EPSS
Exploits1References5Affected Software1
Rows per page
Query Builder