Lucene search
+L

5 matches found

cvelist
cvelist
added 2026/07/06 3:21 p.m.35 views

CVE-2026-59195 pnpm: Path traversal in configDependencies env lockfile allows symlink creation outside node_modules/.pnpm-config

pnpm is a package manager. Prior to 10.34.4 and 11.8.0, pnpm accepts package names from the env lockfile configDependencies section and uses those names directly when creating config dependency symlinks under nodemodules/.pnpm-config. A malicious repository can commit a crafted pnpm-lock.yaml who...

8.2CVSS0.00257EPSS
Exploits1References1
ptsecurity
ptsecurity
added 2026/07/06 12:0 a.m.14 views

PT-2026-55947

Name of the Vulnerable Software and Affected Versions pnpm versions prior to 10.34.4 pnpm versions prior to 11.8.0 Description pnpm accepts package names from the configDependencies section of the env lockfile and uses them directly when creating config dependency symlinks under node...

8.2CVSS6AI score0.00257EPSS
Exploits1References5
osv
osv
added 2026/06/27 12:13 a.m.10 views

GHSA-QRV3-253H-G69C pnpm: Path traversal in configDependencies env lockfile allows symlink creation outside node_modules/.pnpm-config

Summary pnpm accepts package names from the env lockfile configDependencies section and uses those names directly when creating config dependency symlinks under nodemodules/.pnpm-config. A malicious repository can commit a crafted pnpm-lock.yaml whose env-lockfile document contains a...

8.2CVSS5.7AI score0.00257EPSS
Exploits1References2
cvelist
cvelist
added 2026/06/25 4:43 p.m.33 views

CVE-2026-55698 pnpm: Project env lockfile can short-circuit package-manager resolution and execute lockfile-selected pnpm bytes

pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can persist package-manager bootstrap metadata in the first YAML document of pnpm-lock.yaml. Before the patch, direct pnpm execution trusted an already resolved packageManagerDependencies entry when the committed env lockfile contained...

8.8CVSS0.00193EPSS
Exploits1References1
cve
cve
added 2026/06/25 4:43 p.m.42 views

CVE-2026-55698

pnpm advisory (CVE-2026-55698) affects pnpm by allowing a crafted env lockfile in pnpm-lock.yaml to bypass fresh package-manager resolution and cause installation of bytes selected by the lockfile state. The issue occurs prior to 10.34.2 and 11.5.3, which have fixed the vulnerability. The vulnera...

8.8CVSS6AI score0.00193EPSS
Exploits1References1Affected Software1
Rows per page
Query Builder