CVE-2025-69264 pnpm v10+ Bypass "Dependency lifecycle scripts execution disabled by default"

pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the...

CVE-2025-69264

pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the...

CVE-2025-69263

pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies and git-hosted tarballs in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package...

pnpm v10+ Bypass "Dependency lifecycle scripts execution disabled by default"

pnpm v10+ Git Dependency Script Execution Bypass Summary A security bypass vulnerability in pnpm v10+ allows git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10...

GHSA-379Q-355J-W6RJ pnpm v10+ Bypass "Dependency lifecycle scripts execution disabled by default"

pnpm v10+ Git Dependency Script Execution Bypass Summary A security bypass vulnerability in pnpm v10+ allows git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10...

GHSA-7VHP-VF5G-R2FW pnpm Has Lockfile Integrity Bypass that Allows Remote Dynamic Dependencies

Summary HTTP tarball dependencies and git-hosted tarballs are stored in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. Details When a package depends on an HTTP tarball URL, pnpm's tarball resolve...

pnpm Has Lockfile Integrity Bypass that Allows Remote Dynamic Dependencies

Summary HTTP tarball dependencies and git-hosted tarballs are stored in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. Details When a package depends on an HTTP tarball URL, pnpm's tarball resolve...

Important: Red Hat Security Advisory: git-lfs security update

An update for git-lfs is now available for Red Hat Enterprise Linux 10.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available fo...

CVE-2025-64424

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a command injection vulnerability exists in the git source input fields of a resource, allowing a low privileged user member to execute syst...

Important: Red Hat Security Advisory: git-lfs security update

An update for git-lfs is now available for Red Hat Enterprise Linux 9.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for...

Important: Red Hat Security Advisory: git-lfs security update

An update for git-lfs is now available for Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...

Important: Red Hat Security Advisory: git-lfs security update

An update for git-lfs is now available for Red Hat Enterprise Linux 9.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for...

PT-2026-1940

Name of the Vulnerable Software and Affected Versions pnpm versions 10.26.2 and below Description pnpm, a package manager, stores HTTP tarball dependencies and git-hosted tarballs in the lockfile without integrity hashes in versions 10.26.2 and below. This allows a remote server to deliver...

PT-2026-1941

Name of the Vulnerable Software and Affected Versions pnpm versions 10.0.0 through 10.25 Description pnpm is a package manager affected by an issue where git-hosted dependencies can execute arbitrary code during the pnpm install process. This bypasses the security feature introduced in version 10...

Alibaba Cloud Linux 3 : 0001: git-lfs (ALINUX3-SA-2026:0001)

The remote Alibaba Cloud Linux 3 host has packages installed that are affected by a vulnerability as referenced in the ALINUX3-SA-2026:0001 advisory. Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities: CVE-2025-26625: Git LFS is a Git extension for...

pnpm 安全漏洞

pnpm is a package manager in the pnpm open source. A security vulnerability exists in pnpm versions 10.0.0 through 10.25, which stems from a git-hosted dependency that can execute arbitrary code during installation, potentially leading to remote code execution...

CVE-2025-59157

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, the Git Repository field during project creation is vulnerable to command injection. User input is not properly sanitized, allowing attackers to inject arbitrary...

Arbitrary File Upload

Overview n8n-nodes-base is a Base nodes of n8n Affected versions of this package are vulnerable to Arbitrary File Upload via the Git Node. An authenticated user can achieve execution of untrusted code by uploading malicious files that are subsequently executed by the service. This can lead to ful...

Arbitrary File Upload

Overview n8n-workflow is a Workflow base code of n8n Affected versions of this package are vulnerable to Arbitrary File Upload via the Git Node. An authenticated user can achieve execution of untrusted code by uploading malicious files that are subsequently executed by the service. This can lead ...

Arbitrary File Upload

Overview n8n-core is a Core functionality of n8n Affected versions of this package are vulnerable to Arbitrary File Upload via the Git Node. An authenticated user can achieve execution of untrusted code by uploading malicious files that are subsequently executed by the service. This can lead to...