9 matches found
CVE-2026-24056
pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a file: directory or git: dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path e.g., /etc/passwd,...
CVE-2026-24056
CVE-2026-24056 affects pnpm prior to 10.28.2: when installing file: or git: dependencies, symlinks are followed and their target contents read outside the package root, enabling possible leakage of local data (e.g., credentials) into node_modules. Root cause: store/cafs/src/addFilesFromDir.ts use...
CVE-2026-24056 pnpm has symlink traversal in file:/git dependencies
pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a file: directory or git: dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path e.g., /etc/passwd,...
EUVD-2026-4658
pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a file: directory or git: dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path e.g., /etc/passwd,...
CVE-2026-24056 pnpm has symlink traversal in file:/git dependencies
pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a file: directory or git: dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path e.g., /etc/passwd,...
CVE-2026-24056 pnpm has symlink traversal in file:/git dependencies
pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a file: directory or git: dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path e.g., /etc/passwd,...
pnpm has symlink traversal in file:/git dependencies
Summary When pnpm installs a file: directory or git: dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path e.g., /etc/passwd, /.ssh/idrsa causes pnpm to copy that file's contents...
PT-2026-4827
Name of the Vulnerable Software and Affected Versions pnpm versions prior to 10.28.2 Description pnpm, a package manager, is affected by an issue where installing a file: or git: dependency allows it to follow symlinks and read their target contents without restricting them to the package root. A...
pnpm post-link vulnerability
PNPM is a package manager developed by the open-source project Pnpm. Prior to version 10.28.2, Pnpm had a backlink vulnerability. This vulnerability stemmed from the use of symbolic links when installing dependencies via file: or git:. Such practices could lead to local data leaks...