Lucene search
K

12 matches found

EUVD
EUVD
added 6 days ago6 views

EUVD-2026-39497

pnpm: Tarball hash of GitHub git dependencies is not stored in lockfile...

7.5CVSS5.8AI score0.00116EPSS
Exploits1References2
NVD
NVD
added 2026/06/25 6:16 p.m.8 views

CVE-2026-55699

pnpm is a package manager. Prior to 10.34.2 and 11.5.3, Manifest bin object keys such as "", ".", and ".." passed pnpm's bin-name guard. When a malicious package was installed globally, later global remove, update, or add-replacement flows could re-derive those names from the installed manifest a...

6.5CVSS0.00286EPSS
Exploits1References1
CVE
CVE
added 2026/06/25 4:58 p.m.21 views

CVE-2026-48995

CVE-2026-48995 affects pnpm, a package manager. Prior to versions 10.33.4 and 11.0.7, a malicious codeload.github.com server could serve arbitrary tarballs and pnpm would install them regardless of the lockfile because the tarball hash is not stored in the lockfile. This could enable tampering of...

7.5CVSS5.9AI score0.00116EPSS
Exploits1References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/06/25 4:42 p.m.20 views

CVE-2026-55697

pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can install configDependencies declared in pnpm-workspace.yaml before command dispatch. Before the patch, a repository could declare pacquet or @pnpm/pacquet as a config dependency and pnpm treated that repository-controlled dependency ...

7.5CVSS5.9AI score0.00127EPSS
Exploits1References2Affected Software1
vulnersOsv
vulnersOsv
added 2026/01/26 9:2 p.m.7 views

@conglomerate/weaver (>=2.1.1 <=2.6.1), @derivative/derive (>=0.1.0 <=0.1.1) +10 more potentially affected by CVE-2026-23888 via pnpm (>=0.21.0 <=10.18.3)

pnpm NPM version =0.21.0, =2.1.1, =0.1.0, =0.1.0, =3.7.16, =2.3.0, =0.1.0, =0.2.7, =1.0.4, =1.0.7 Source cves: CVE-2026-23888 Source advisory: OSV:GHSA-6PFH-P556-V868...

6.5CVSS5.8AI score0.00396EPSS
Exploits1
vulnersOsv
vulnersOsv
added 2026/01/26 9:2 p.m.6 views

@conglomerate/weaver (>=2.1.1 <=2.6.1), @derivative/derive (>=0.1.0 <=0.1.1) +10 more potentially affected by CVE-2026-23889 via pnpm (>=0.21.0 <=10.18.3)

pnpm NPM version =0.21.0, =2.1.1, =0.1.0, =0.1.0, =3.7.16, =2.3.0, =0.1.0, =0.2.7, =1.0.4, =1.0.7 Source cves: CVE-2026-23889 Source advisory: OSV:GHSA-6X96-7VC8-CM3P...

6.5CVSS5.8AI score0.00433EPSS
Exploits1
vulnersOsv
vulnersOsv
added 2026/01/26 9:2 p.m.8 views

@conglomerate/weaver (>=2.1.1 <=2.6.1), @derivative/derive (>=0.1.0 <=0.1.1) +10 more potentially affected by CVE-2026-23890 via pnpm (>=0.21.0 <=10.18.3)

pnpm NPM version =0.21.0, =2.1.1, =0.1.0, =0.1.0, =3.7.16, =2.3.0, =0.1.0, =0.2.7, =1.0.4, =1.0.7 Source cves: CVE-2026-23890 Source advisory: OSV:GHSA-XPQM-WM3M-F34H...

6.5CVSS5.8AI score0.00438EPSS
Exploits1
CNNVD
CNNVD
added 2026/01/26 12:0 a.m.7 views

pnpm post-link vulnerability

PNPM is a package manager developed by the open-source project Pnpm. Prior to version 10.28.2, Pnpm had a backlink vulnerability. This vulnerability stemmed from the use of symbolic links when installing dependencies via file: or git:. Such practices could lead to local data leaks...

6.7CVSS5.8AI score0.00469EPSS
Exploits1References3
vulnersOsv
vulnersOsv
added 2026/01/07 7:6 p.m.10 views

@conglomerate/weaver (>=2.1.1 <=2.6.1), @derivative/derive (>=0.1.0 <=0.1.1) +10 more potentially affected by CVE-2025-69263 via pnpm (>=0.21.0 <=10.18.3)

pnpm NPM version =0.21.0, =2.1.1, =0.1.0, =0.1.0, =3.7.16, =2.3.0, =0.1.0, =0.2.7, =1.0.4, =1.0.7 Source cves: CVE-2025-69263 Source advisory: OSV:GHSA-7VHP-VF5G-R2FW...

8.8CVSS6AI score0.0031EPSS
Exploits1
Positive Technologies
Positive Technologies
added 2026/01/07 12:0 a.m.6 views

PT-2026-1940

Name of the Vulnerable Software and Affected Versions pnpm versions 10.26.2 and below Description pnpm, a package manager, stores HTTP tarball dependencies and git-hosted tarballs in the lockfile without integrity hashes in versions 10.26.2 and below. This allows a remote server to deliver...

8.8CVSS6.3AI score0.0031EPSS
Exploits1References13
Positive Technologies
Positive Technologies
added 2026/01/07 12:0 a.m.5 views

PT-2026-1941

Name of the Vulnerable Software and Affected Versions pnpm versions 10.0.0 through 10.25 Description pnpm is a package manager affected by an issue where git-hosted dependencies can execute arbitrary code during the pnpm install process. This bypasses the security feature introduced in version 10...

9.8CVSS6.8AI score0.01023EPSS
Exploits1References13
CNNVD
CNNVD
added 2024/12/10 12:0 a.m.5 views

pnpm 代码问题漏洞

pnpm is a package manager in the pnpm open source. A code issue vulnerability exists in pnpm 9.14.4 and earlier versions, which stems from the presence of a vulnerability that improperly handles overrides and global caching, which can lead to arbitrary code being run in subsequent installations...

9.8CVSS6.9AI score0.00942EPSS
Exploits1References2
Rows per page
Query Builder