CVE-2026-55180

CVE-2026-55180 affects pnpm before 10.34.2 and 11.5.3. The issue arises when pnpm and related configuration (repository-controlled .npmrc and pnpm-workspace.yaml) expand ${ENV_VAR} placeholders into registry request destinations and registry credentials. This can cause dependency resolution to se...

CVE-2026-55180 pnpm: Repository config can expand victim environment secrets into registry requests before scripts run

pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm and pacquet expanded $ENVVAR placeholders from repository-controlled .npmrc and pnpm-workspace.yaml into registry request destinations and registry credentials. A malicious repository could cause dependency resolution to send victim...

CVE-2026-44465 Zed: Zed IDE Arbitrary Code Execution via untrusted repository with poisoned .git/config

Zed is a code editor. Prior to 0.227.1, Zed IDE executes arbitrary commands when opening a folder with a malicious .git/config file that abuses the core.fsmonitor Git configuration option. This allows an attacker to achieve Remote Code Execution RCE when a victim open a folder in untrusted mode...

gix-path uses local config across repos when it is the highest scope

Summary gix-path executes git to find the path of a configuration file that belongs to the git installation itself, but mistakenly treats the local repository's configuration as system-wide if no higher scoped configuration is found. In rare cases, this causes a less trusted repository to be...