5 matches found
pnpm 11.3.x < 11.5.3 Stage Download Path Traversal (CVE-2026-55700)
The version of pnpm installed on the remote host is 11.3.x prior to 11.5.3. It is, therefore, affected by a path traversal vulnerability: - From 11.3.0 until 11.5.3, pnpm stage download derived a local filename from registry-controlled package name and version fields. A crafted manifest could...
pnpm < 10.34.0 / 11.x < 11.4.0 Multiple Vulnerabilities
The version of pnpm installed on the remote host is prior to 10.34.0, or 11.x prior to 11.4.0. It is, therefore, affected by multiple vulnerabilities: - pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses tha...
pnpm-10.32.1-1.1 on GA media (moderate)
pnpm-10.32.1-1.1 on GA media Announcement ID: openSUSE-SU-2026:10410-1 Rating: moderate Cross-References: CVE-2026-24842 CVSS scores: CVE-2026-24842 SUSE : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2026-24842 SUSE : 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N...
OPENSUSE-SU-2026:10410-1 pnpm-10.32.1-1.1 on GA media
These are all security issues fixed in the pnpm-10.32.1-1.1 package on the GA media of openSUSE Tumbleweed...
EUVD-2026-1189
pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the...