2 matches found
CVE-2026-55700
pnpm stage download (affecting 11.3.0–11.5.3) allowed a crafted manifest to derive a local filename from package name and version, enabling the download to escape the target directory and overwrite a reachable file. The merged fix validates both fields, derives a single safe filename, and verifie...
PT-2026-25048
Name of the Vulnerable Software and Affected Versions mirror-registry affected versions not specified Description An issue exists in mirror-registry where an authenticated user can manipulate the system into accessing unintended internal or restricted systems by supplying malicious web addresses...