Lucene search
+L

5 matches found

redhatcve
redhatcve
added 2026/07/06 2:22 p.m.8 views

CVE-2026-48995

A flaw was found in pnpm, a package manager. This vulnerability allows a remote attacker to serve malicious software packages if the codeload.github.com server is compromised or a user's machine configuration is tampered with. The issue arises because pnpm does not verify the integrity of...

7.5CVSS6.5AI score0.00116EPSS
Exploits1References4
euvd
euvd
added 2026/06/26 9:49 p.m.7 views

EUVD-2026-39497

pnpm: Tarball hash of GitHub git dependencies is not stored in lockfile...

7.5CVSS5.8AI score0.00116EPSS
Exploits1References2
github
github
added 2026/06/26 9:49 p.m.7 views

pnpm: Tarball hash of GitHub git dependencies is not stored in lockfile

Summary A malicious codeload.github.com server can serve whatever tarball it wants and pnpm will install it regardless of the lockfile. Details The lockfile does not store the hash of the dependencies from https://codeload.github.com This means that if this server was compromised or a person's...

7.5CVSS5.8AI score0.00116EPSS
Exploits1References3Affected Software1
nvd
nvd
added 2026/06/25 6:16 p.m.8 views

CVE-2026-48995

pnpm is a package manager. Prior to 10.33.4 and 11.0.7, a malicious codeload.github.com server can serve whatever tarball it wants and pnpm will install it regardless of the lockfile. The lockfile does not store the hash of the dependencies from https://codeload.github.com. This means that if thi...

7.5CVSS0.00116EPSS
Exploits1References1
ptsecurity
ptsecurity
added 2026/06/25 12:0 a.m.10 views

PT-2026-52512

Name of the Vulnerable Software and Affected Versions pnpm versions prior to 10.33.4 pnpm versions prior to 11.0.7 Description A flaw exists where the package manager does not store the hash of dependencies sourced from codeload.github.com in the lockfile. Consequently, a compromised server or...

7.5CVSS5.9AI score0.00116EPSS
Exploits1References8
Rows per page
Query Builder