322 matches found
CVE-2026-59195
A flaw was found in pnpm, a package manager. A remote attacker could exploit a path traversal vulnerability by crafting a malicious pnpm-lock.yaml file. When a user installs dependencies from such a repository, pnpm incorrectly processes package names from the configDependencies section, leading ...
CVE-2026-59194
A flaw was found in pnpm, a package manager. A remote attacker could exploit this vulnerability by providing a specially crafted patch entry. This crafted entry could resolve outside the configured patches directory, allowing for the deletion of an arbitrary file when pnpm patch-remove is execute...
ROOT-APP-NPM-CVE-2026-50016 CVE-2026-50016 in @rootio/pnpm - Patched by Root
Root has patched CVE-2026-50016 in the @rootio/pnpm package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2026-55487 CVE-2026-55487 in @rootio/pnpm - Patched by Root
Root has patched CVE-2026-55487 in the @rootio/pnpm package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2026-55697 CVE-2026-55697 in @rootio/pnpm - Patched by Root
Root has patched CVE-2026-55697 in the @rootio/pnpm package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-GHSA-72R4-9C5J-MJ57 GHSA-72r4-9c5j-mj57 in @rootio/pnpm - Patched by Root
Root has patched GHSA-72r4-9c5j-mj57 in the @rootio/pnpm package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2026-50015 CVE-2026-50015 in @rootio/pnpm - Patched by Root
Root has patched CVE-2026-50015 in the @rootio/pnpm package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-GHSA-FR4H-3CPH-29XV GHSA-fr4h-3cph-29xv in @rootio/pnpm - Patched by Root
Root has patched GHSA-fr4h-3cph-29xv in the @rootio/pnpm package for Root:npm. Multiple fixed versions available...
CVE-2026-59195
pnpm is a package manager. Prior to 10.34.4 and 11.8.0, pnpm accepts package names from the env lockfile configDependencies section and uses those names directly when creating config dependency symlinks under nodemodules/.pnpm-config. A malicious repository can commit a crafted pnpm-lock.yaml who...
CVE-2026-59194
pnpm is a package manager. Prior to 10.34.4 and 11.7.0, a crafted patch entry could resolve outside the configured patches directory and cause pnpm patch-remove to delete an arbitrary reachable file. This vulnerability is fixed in 10.34.4 and 11.7.0...
CVE-2026-59196
pnpm is a package manager. Prior to 10.34.4 and 11.7.0, a crafted lockfile alias could be joined directly under a hoisted nodemodules directory. Traversal aliases could escape that directory, while reserved aliases such as .bin or .pnpm could overwrite pnpm-owned layout. This vulnerability is fix...
CVE-2026-59195 pnpm: Path traversal in configDependencies env lockfile allows symlink creation outside node_modules/.pnpm-config
pnpm is a package manager. Prior to 10.34.4 and 11.8.0, pnpm accepts package names from the env lockfile configDependencies section and uses those names directly when creating config dependency symlinks under nodemodules/.pnpm-config. A malicious repository can commit a crafted pnpm-lock.yaml who...
CVE-2026-59195
pnpm is a package manager. Prior to 10.34.4 and 11.8.0, pnpm accepts package names from the env lockfile configDependencies section and uses those names directly when creating config dependency symlinks under nodemodules/.pnpm-config. A malicious repository can commit a crafted pnpm-lock.yaml who...
CVE-2026-59195
CVE-2026-59195 affects pnpm prior to versions 10.34.4 and 11.8.0. The issue arises when pnpm reads package names from the env lockfile’s configDependencies section and uses those names directly to create config dependency symlinks under node_modules/.pnpm-config. A crafted pnpm-lock.yaml with a t...
CVE-2026-59195 pnpm: Path traversal in configDependencies env lockfile allows symlink creation outside node_modules/.pnpm-config
pnpm is a package manager. Prior to 10.34.4 and 11.8.0, pnpm accepts package names from the env lockfile configDependencies section and uses those names directly when creating config dependency symlinks under nodemodules/.pnpm-config. A malicious repository can commit a crafted pnpm-lock.yaml who...
CVE-2026-59196
pnpm is a package manager. Prior to 10.34.4 and 11.7.0, a crafted lockfile alias could be joined directly under a hoisted nodemodules directory. Traversal aliases could escape that directory, while reserved aliases such as .bin or .pnpm could overwrite pnpm-owned layout. This vulnerability is fix...
EUVD-2026-41882
pnpm is a package manager. Prior to 10.34.4 and 11.7.0, a crafted lockfile alias could be joined directly under a hoisted nodemodules directory. Traversal aliases could escape that directory, while reserved aliases such as .bin or .pnpm could overwrite pnpm-owned layout. This vulnerability is fix...
CVE-2026-59196
pnpm is vulnerable prior to versions 10.34.4 and 11.7.0 due to a crafted lockfile alias that can be joined under a hoisted node_modules directory, enabling traversal aliases to escape the directory and reserved aliases like .bin or .pnpm to overwrite pnpm-owned layout. The fixed versions are 10.3...
CVE-2026-59196 pnpm: hoisted install imports lockfile alias outside node_modules
pnpm is a package manager. Prior to 10.34.4 and 11.7.0, a crafted lockfile alias could be joined directly under a hoisted nodemodules directory. Traversal aliases could escape that directory, while reserved aliases such as .bin or .pnpm could overwrite pnpm-owned layout. This vulnerability is fix...
CVE-2026-59196 pnpm: hoisted install imports lockfile alias outside node_modules
pnpm is a package manager. Prior to 10.34.4 and 11.7.0, a crafted lockfile alias could be joined directly under a hoisted nodemodules directory. Traversal aliases could escape that directory, while reserved aliases such as .bin or .pnpm could overwrite pnpm-owned layout. This vulnerability is fix...