Lucene search
K

46 matches found

RedhatCVE
RedhatCVE
added last week6 views

CVE-2026-50014

A flaw was found in pnpm, a package manager. An attacker could exploit this vulnerability by providing a malicious lockfile, which could lead to arbitrary code execution. This occurs because pnpm incorrectly processes git dependency information, allowing a crafted input to execute unauthorized...

7.3CVSS6.2AI score0.0018EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/06/26 9:49 p.m.7 views

pnpm: Tarball hash of GitHub git dependencies is not stored in lockfile

Summary A malicious codeload.github.com server can serve whatever tarball it wants and pnpm will install it regardless of the lockfile. Details The lockfile does not store the hash of the dependencies from https://codeload.github.com This means that if this server was compromised or a person's...

7.5CVSS5.8AI score0.00116EPSS
Exploits1References3Affected Software1
Cvelist
Cvelist
added 2026/06/25 9:41 p.m.18 views

CVE-2021-47987 Parse Server - Arbitrary Code Execution via Malicious Version Tags

Parse Server before 4.10.0 was affected by a supply chain incident in which incorrect version tags were pushed to the official repository pointing to an unreviewed personal fork of a contributor with write access. No releases were published with these tags; a project was exposed only if it define...

7.7CVSS0.0012EPSS
Exploits0References2
CVE
CVE
added 2026/06/25 9:41 p.m.11 views

CVE-2021-47987

Parse Server before 4.10.0 was affected by a supply chain incident in which incorrect version tags were pushed to the official repository, pointing to an unreviewed personal fork with write access. No releases were published with these tags; a project exposing a vulnerability would require a git-...

7.7CVSS5.9AI score0.0012EPSS
Exploits0References2
CVE
CVE
added 2026/06/25 4:58 p.m.34 views

CVE-2026-48995

CVE-2026-48995 affects pnpm, a package manager. Prior to versions 10.33.4 and 11.0.7, a malicious codeload.github.com server could serve arbitrary tarballs and pnpm would install them regardless of the lockfile because the tarball hash is not stored in the lockfile. This could enable tampering of...

7.5CVSS5.9AI score0.00116EPSS
Exploits1References1Affected Software1
The Hacker News
The Hacker News
added 2026/06/11 6:23 a.m.22 views

GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks

GitHub has announced what it said are "breaking changes" coming to npm version 12, one of which turns off install scripts by default to combat software supply chain threats. The changes aim to combat attack techniques that abuse the "npm install" command to trigger the execution of malicious code...

6.6AI score
Exploits0
SUSE CVE
SUSE CVE
added 2026/04/13 11:26 p.m.4 views

SUSE CVE-2026-32146

Improper path validation vulnerability in the Gleam compiler's handling of git dependencies allows arbitrary file system modification during dependency download. Dependency names from gleam.toml and manifest.toml are incorporated into filesystem paths without sufficient validation or confinement ...

8.3CVSS5.9AI score0.00239EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2026/04/13 10:40 a.m.7 views

CVE-2026-32146

A flaw was found in the Gleam compiler. A malicious direct or transitive git dependency can exploit an improper path validation vulnerability in the Gleam compiler's handling of git dependencies during dependency download. This allows for arbitrary file system modification, including the deletion...

8.6CVSS6AI score0.00239EPSS
Exploits1References8
NVD
NVD
added 2026/04/11 2:16 p.m.2 views

CVE-2026-32146

Improper path validation vulnerability in the Gleam compiler's handling of git dependencies allows arbitrary file system modification during dependency download. Dependency names from gleam.toml and manifest.toml are incorporated into filesystem paths without sufficient validation or confinement ...

8.6CVSS0.00239EPSS
Exploits1References8
Cvelist
Cvelist
added 2026/04/11 12:59 p.m.31 views

CVE-2026-32146 Improper Path Validation in Git Dependency Handling Allows Arbitrary File System Modification

Improper path validation vulnerability in the Gleam compiler's handling of git dependencies allows arbitrary file system modification during dependency download. Dependency names from gleam.toml and manifest.toml are incorporated into filesystem paths without sufficient validation or confinement ...

8.3CVSS0.00239EPSS
Exploits1References5
ATTACKERKB
ATTACKERKB
added 2026/04/11 12:59 p.m.3 views

CVE-2026-32146

Improper path validation vulnerability in the Gleam compiler's handling of git dependencies allows arbitrary file system modification during dependency download. Dependency names from gleam.toml and manifest.toml are incorporated into filesystem paths without sufficient validation or confinement ...

8.3CVSS5.9AI score0.00239EPSS
Exploits1References7
CVE
CVE
added 2026/04/11 12:59 p.m.14 views

CVE-2026-32146

CVE-2026-32146 is an improper path validation flaw in the Gleam compiler’s handling of git dependencies during dependency download. Attacker-controlled paths (via relative traversal like ../ or absolute paths) can target filesystem locations outside the intended dependency directory, enabling del...

8.6CVSS5.9AI score0.00239EPSS
Exploits1References8Affected Software1
OSV
OSV
added 2026/04/11 12:59 p.m.5 views

EEF-CVE-2026-32146 Improper Path Validation in Git Dependency Handling Allows Arbitrary File System Modification

Summary Improper path validation vulnerability in the Gleam compiler's handling of git dependencies allows arbitrary file system modification during dependency download. Dependency names from gleam.toml and manifest.toml are incorporated into filesystem paths without sufficient validation or...

8.3CVSS6AI score0.00239EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/04/11 12:0 a.m.3 views

PT-2026-32098

Name of the Vulnerable Software and Affected Versions Gleam versions 1.9.0-rc1 through 1.15.3 and 1.16.0-rc1 Description An improper path validation issue exists in the Gleam compiler when handling git dependencies during the dependency download process. Dependency names from gleam.toml and...

8.3CVSS6.3AI score0.00239EPSS
Exploits1References11
NVD
NVD
added 2026/01/26 10:15 p.m.10 views

CVE-2026-24056

pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a file: directory or git: dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path e.g., /etc/passwd,...

6.7CVSS0.00469EPSS
Exploits1References3
OSV
OSV
added 2026/01/26 9:59 p.m.4 views

CVE-2026-24056 pnpm has symlink traversal in file:/git dependencies

pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a file: directory or git: dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path e.g., /etc/passwd,...

6.7CVSS5.9AI score0.00469EPSS
Exploits1References5
CVE
CVE
added 2026/01/26 9:59 p.m.33 views

CVE-2026-24056

CVE-2026-24056 affects pnpm prior to 10.28.2: when installing file: or git: dependencies, symlinks are followed and their target contents read outside the package root, enabling possible leakage of local data (e.g., credentials) into node_modules. Root cause: store/cafs/src/addFilesFromDir.ts use...

6.7CVSS5.9AI score0.00469EPSS
Exploits1References3Affected Software1
Cvelist
Cvelist
added 2026/01/26 9:59 p.m.22 views

CVE-2026-24056 pnpm has symlink traversal in file:/git dependencies

pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a file: directory or git: dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path e.g., /etc/passwd,...

6.7CVSS0.00469EPSS
Exploits1References3
EUVD
EUVD
added 2026/01/26 9:59 p.m.6 views

EUVD-2026-4658

pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a file: directory or git: dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path e.g., /etc/passwd,...

6.7CVSS5.9AI score0.00469EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/01/26 9:59 p.m.4 views

CVE-2026-24056 pnpm has symlink traversal in file:/git dependencies

pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a file: directory or git: dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path e.g., /etc/passwd,...

6.7CVSS5.9AI score0.00469EPSS
Exploits1References3
Rows per page
Query Builder