Lucene search
K

4 matches found

SUSE CVE
SUSE CVE
added 2026/01/28 12:24 a.m.5 views

SUSE CVE-2026-23890

pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of nodemodules/.bin. Bin names starting with @ bypass validation, and after scope normalization, path traversal...

6.5CVSS5.9AI score0.00438EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/01/26 9:53 p.m.19 views

CVE-2026-23890 pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin

pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of nodemodules/.bin. Bin names starting with @ bypass validation, and after scope normalization, path traversal...

6.5CVSS0.00438EPSS
Exploits1References3
RedHat Linux
RedHat Linux
added 2020/02/25 1:7 p.m.4 views

npm: Arbitrary file write via constructed entry in the package.json bin field

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended nodemodules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or ga...

8.1CVSS7.5AI score0.03342EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2020/02/25 1:7 p.m.4 views

npm: Symlink reference outside of node_modules folder through the bin field upon installation

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenodemodules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package...

7.7CVSS7.5AI score0.03266EPSS
Exploits0References4
Rows per page
Query Builder