5 matches found
EUVD-2026-39495
pnpm binds unscoped user-level npm auth credentials to a repository-selected registry...
CVE-2026-50017
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm can send user-level unscoped npm authentication credentials to a registry chosen by a repository-local .npmrc file. In the reproduced case, the user's npm config contains a default registry and an unscoped authToken. The repository does...
CVE-2026-50017 pnpm binds unscoped user-level npm auth credentials to a repository-selected registry
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm can send user-level unscoped npm authentication credentials to a registry chosen by a repository-local .npmrc file. In the reproduced case, the user's npm config contains a default registry and an unscoped authToken. The repository does...
CVE-2026-50017
pnpm is affected prior to versions 10.34.0 and 11.4.0. In these versions, during normal metadata/install workflows, pnpm can bind user-level unscoped npm authentication credentials to a repository‑selected registry (as configured by a repository-local .npmrc) and transmit them in an Authorization...
PT-2026-52516
Name of the Vulnerable Software and Affected Versions pnpm versions prior to 10.34.0 pnpm versions prior to 11.4.0 Description pnpm may send user-level unscoped npm authentication credentials to a registry specified in a repository-local .npmrc file. This occurs when a user's global configuration...