SUSE CVE-2026-24056

pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a file: directory or git: dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path e.g., /etc/passwd,...

CVE-2026-24056

pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a file: directory or git: dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path e.g., /etc/passwd,...

GHSA-M733-5W8F-5GGW pnpm has symlink traversal in file:/git dependencies

Summary When pnpm installs a file: directory or git: dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path e.g., /etc/passwd, /.ssh/idrsa causes pnpm to copy that file's contents...

MAL-2025-42147 Malicious code in file-dependency (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis db9d9ac2b90c17d04ff56afe81a886e99665eb55048e7cc7c9a3f0b1855db828 The OpenSSF Package Analysis project identified 'file-dependency' @ 7.0.1 npm as malicious. It is considered malicious because: - The package...

CVE-2024-54661

readline.sh in socat before1.8.0.2 relies on the /tmp/$USER/stderr2 file...