CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

13 matches found

CVE-2026-50021

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's tarball extraction worker skips integrity verification when the integrity field is absent from the lockfile resolution. If an attacker can both modify pnpm-lock.yaml to remove the integrity: field and cause the referenced registry URL...

6.8CVSS0.00119EPSS

Exploits0References1

Vulnrichment•added 2026/01/26 9:37 p.m.•2 views

CVE-2026-23888 pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)

pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: 1 Malicious ZIP entries containing ../ or absolute paths that...

6.5CVSS5.9AI score0.00396EPSS

Exploits1References3

Snyk•added 2026/01/26 9:2 p.m.•3 views

Relative Path Traversal

Overview @pnpm/package-bins is a that returns bins of a package. Affected versions of this package are vulnerable to Relative Path Traversal via the commandsFromBin function when performing bin name validation and normalization. An attacker can create or overwrite arbitrary files outside the...

7.4CVSS6AI score0.00438EPSS

Exploits1References2

vulnersOsv•added 2026/01/07 10:55 p.m.•5 views

@directus/release-notes-generator (>=2.0.2 <=3.0.0-rc.0), @kcconfigs/commitlint (>=0.1.0-beta.0 <=0.2.0) +76 more potentially affected by CVE-2025-69262 via @pnpm/npm-conf (>=3.0.0 <=3.0.1)

@pnpm/npm-conf NPM version =3.0.0, =2.0.2, =0.1.0-beta.0, =1000.3.5, =1000.0.4, =1000.0.4, =1000.0.4, =1000.1.0, =1002.1.1, =1008.0.2, =1016.0.0 and more Source cves: CVE-2025-69262 Source advisory: SNYK:JS-PNPMNPMCONF-14897556...

7.8CVSS5.4AI score0.00949EPSS

Exploits1

AlpineLinux•added 2026/01/07 10:30 p.m.•4 views

CVE-2025-69262

pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve Remote Cod...

7.8CVSS7.6AI score0.00949EPSS

Exploits1

Snyk•added 2026/01/07 9:57 p.m.•2 views

Resources Downloaded over Insecure Protocol

Overview @pnpm/package-store is an A storage for packages Affected versions of this package are vulnerable to Resources Downloaded over Insecure Protocol due to the absence of integrity hashes in the lockfile for HTTP or git-hosted tarball dependencies. An attacker can execute arbitrary code by...

8.8CVSS7.6AI score0.00234EPSS

Exploits1References2

OSV•added 2026/01/07 9:53 p.m.•5 views

CVE-2025-69264 pnpm v10+ Bypass "Dependency lifecycle scripts execution disabled by default"

pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the...

8.8CVSS8.5AI score0.0081EPSS

Exploits1References4

RedhatCVE•added 2025/05/23 3:29 a.m.•7 views

CVE-2023-37478

pnpm is a package manager. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. This can result in a package that appears safe on the npm registry or when installed via...

9.8CVSS6.7AI score0.00933EPSS

Exploits1References1

SUSE CVE•added 2025/04/24 3:29 a.m.•2 views

SUSE CVE-2024-47829

pnpm is a package manager. Prior to version 10.0.0, the path shortening function uses the md5 function as a path shortening compression function, and if a collision occurs, it will result in the same storage path for two different libraries. Although the real names are under the package name...

6.5CVSS6.9AI score0.00187EPSS

Exploits1References3