46 matches found
CVE-2026-50014
A flaw was found in pnpm, a package manager. An attacker could exploit this vulnerability by providing a malicious lockfile, which could lead to arbitrary code execution. This occurs because pnpm incorrectly processes git dependency information, allowing a crafted input to execute unauthorized...
pnpm: Tarball hash of GitHub git dependencies is not stored in lockfile
Summary A malicious codeload.github.com server can serve whatever tarball it wants and pnpm will install it regardless of the lockfile. Details The lockfile does not store the hash of the dependencies from https://codeload.github.com This means that if this server was compromised or a person's...
CVE-2021-47987 Parse Server - Arbitrary Code Execution via Malicious Version Tags
Parse Server before 4.10.0 was affected by a supply chain incident in which incorrect version tags were pushed to the official repository pointing to an unreviewed personal fork of a contributor with write access. No releases were published with these tags; a project was exposed only if it define...
CVE-2021-47987
Parse Server before 4.10.0 was affected by a supply chain incident in which incorrect version tags were pushed to the official repository, pointing to an unreviewed personal fork with write access. No releases were published with these tags; a project exposing a vulnerability would require a git-...
CVE-2026-48995
CVE-2026-48995 affects pnpm, a package manager. Prior to versions 10.33.4 and 11.0.7, a malicious codeload.github.com server could serve arbitrary tarballs and pnpm would install them regardless of the lockfile because the tarball hash is not stored in the lockfile. This could enable tampering of...
GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks
GitHub has announced what it said are "breaking changes" coming to npm version 12, one of which turns off install scripts by default to combat software supply chain threats. The changes aim to combat attack techniques that abuse the "npm install" command to trigger the execution of malicious code...
SUSE CVE-2026-32146
Improper path validation vulnerability in the Gleam compiler's handling of git dependencies allows arbitrary file system modification during dependency download. Dependency names from gleam.toml and manifest.toml are incorporated into filesystem paths without sufficient validation or confinement ...
CVE-2026-32146
A flaw was found in the Gleam compiler. A malicious direct or transitive git dependency can exploit an improper path validation vulnerability in the Gleam compiler's handling of git dependencies during dependency download. This allows for arbitrary file system modification, including the deletion...
CVE-2026-32146
Improper path validation vulnerability in the Gleam compiler's handling of git dependencies allows arbitrary file system modification during dependency download. Dependency names from gleam.toml and manifest.toml are incorporated into filesystem paths without sufficient validation or confinement ...
CVE-2026-32146 Improper Path Validation in Git Dependency Handling Allows Arbitrary File System Modification
Improper path validation vulnerability in the Gleam compiler's handling of git dependencies allows arbitrary file system modification during dependency download. Dependency names from gleam.toml and manifest.toml are incorporated into filesystem paths without sufficient validation or confinement ...
CVE-2026-32146
Improper path validation vulnerability in the Gleam compiler's handling of git dependencies allows arbitrary file system modification during dependency download. Dependency names from gleam.toml and manifest.toml are incorporated into filesystem paths without sufficient validation or confinement ...
CVE-2026-32146
CVE-2026-32146 is an improper path validation flaw in the Gleam compiler’s handling of git dependencies during dependency download. Attacker-controlled paths (via relative traversal like ../ or absolute paths) can target filesystem locations outside the intended dependency directory, enabling del...
EEF-CVE-2026-32146 Improper Path Validation in Git Dependency Handling Allows Arbitrary File System Modification
Summary Improper path validation vulnerability in the Gleam compiler's handling of git dependencies allows arbitrary file system modification during dependency download. Dependency names from gleam.toml and manifest.toml are incorporated into filesystem paths without sufficient validation or...
PT-2026-32098
Name of the Vulnerable Software and Affected Versions Gleam versions 1.9.0-rc1 through 1.15.3 and 1.16.0-rc1 Description An improper path validation issue exists in the Gleam compiler when handling git dependencies during the dependency download process. Dependency names from gleam.toml and...
CVE-2026-24056
pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a file: directory or git: dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path e.g., /etc/passwd,...
CVE-2026-24056 pnpm has symlink traversal in file:/git dependencies
pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a file: directory or git: dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path e.g., /etc/passwd,...
CVE-2026-24056
CVE-2026-24056 affects pnpm prior to 10.28.2: when installing file: or git: dependencies, symlinks are followed and their target contents read outside the package root, enabling possible leakage of local data (e.g., credentials) into node_modules. Root cause: store/cafs/src/addFilesFromDir.ts use...
CVE-2026-24056 pnpm has symlink traversal in file:/git dependencies
pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a file: directory or git: dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path e.g., /etc/passwd,...
EUVD-2026-4658
pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a file: directory or git: dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path e.g., /etc/passwd,...
CVE-2026-24056 pnpm has symlink traversal in file:/git dependencies
pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a file: directory or git: dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path e.g., /etc/passwd,...