{"url":"http://public2.vulnerablecode.io/api/packages/521611?format=json","purl":"pkg:npm/pnpm@6.2.2-20210426","type":"npm","namespace":"","name":"pnpm","version":"6.2.2-20210426","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"10.28.2","latest_non_vulnerable_version":"11.0.0-alpha.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/22254?format=json","vulnerability_id":"VCID-1akr-h98b-s3h8","summary":"pnpm has Windows-specific tarball Path Traversal\nA path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.\\`. On Windows, backslashes are directory separators, enabling path traversal.\n\n**This vulnerability is Windows-only.**","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23889.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23889.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23889","reference_id":"","reference_type":"","scores":[{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.06053","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23889"},{"reference_url":"https://github.com/pnpm/pnpm","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pnpm/pnpm"},{"reference_url":"https://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:40:27Z/"}],"url":"https://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0"},{"reference_url":"https://github.com/pnpm/pnpm/releases/tag/v10.28.1","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:40:27Z/"}],"url":"https://github.com/pnpm/pnpm/releases/tag/v10.28.1"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2433093","reference_id":"2433093","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2433093"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23889","reference_id":"CVE-2026-23889","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23889"},{"reference_url":"https://github.com/advisories/GHSA-6x96-7vc8-cm3p","reference_id":"GHSA-6x96-7vc8-cm3p","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6x96-7vc8-cm3p"},{"reference_url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p","reference_id":"GHSA-6x96-7vc8-cm3p","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:40:27Z/"}],"url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/72396?format=json","purl":"pkg:npm/pnpm@10.28.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6432-q5c6-w7hv"},{"vulnerability":"VCID-vpna-z26q-63cx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.28.1"}],"aliases":["CVE-2026-23889","GHSA-6x96-7vc8-cm3p"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1akr-h98b-s3h8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/270776?format=json","vulnerability_id":"VCID-2296-5a4n-53aj","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-53866","reference_id":"","reference_type":"","scores":[{"value":"0.01358","scoring_system":"epss","scoring_elements":"0.80456","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-53866"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/pnpm/pnpm","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pnpm/pnpm"},{"reference_url":"https://github.com/pnpm/pnpm/commit/11afcddea48f25ed5117a87dc1780a55222b9743","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-11T17:11:58Z/"}],"url":"https://github.com/pnpm/pnpm/commit/11afcddea48f25ed5117a87dc1780a55222b9743"},{"reference_url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-vm32-9rqf-rh3r","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-11T17:11:58Z/"}],"url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-vm32-9rqf-rh3r"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53866","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53866"},{"reference_url":"https://github.com/advisories/GHSA-vm32-9rqf-rh3r","reference_id":"GHSA-vm32-9rqf-rh3r","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-vm32-9rqf-rh3r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/187488?format=json","purl":"pkg:npm/pnpm@9.15.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1akr-h98b-s3h8"},{"vulnerability":"VCID-6432-q5c6-w7hv"},{"vulnerability":"VCID-aqjh-jsfq-efe7"},{"vulnerability":"VCID-d9w9-6b2g-y7ba"},{"vulnerability":"VCID-s3ds-9qh7-eyfx"},{"vulnerability":"VCID-s9kc-j8ac-9kch"},{"vulnerability":"VCID-v4hg-dksc-bbbn"},{"vulnerability":"VCID-vpna-z26q-63cx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@9.15.0"}],"aliases":["CVE-2024-53866","GHSA-vm32-9rqf-rh3r"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2296-5a4n-53aj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/18183?format=json","vulnerability_id":"VCID-4qts-drt3-eufs","summary":"pnpm incorrectly parses tar archives relative to specification\npnpm is a package manager. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. This can result in a package that appears safe on the npm registry or when installed via npm being replaced with a compromised or malicious version when installed via pnpm. This issue has been patched in version(s) 7.33.4 and 8.6.8.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-37478","reference_id":"","reference_type":"","scores":[{"value":"0.017","scoring_system":"epss","scoring_elements":"0.82608","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-37478"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/pnpm/pnpm","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pnpm/pnpm"},{"reference_url":"https://github.com/pnpm/pnpm/releases/tag/v7.33.4","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-10T15:26:22Z/"}],"url":"https://github.com/pnpm/pnpm/releases/tag/v7.33.4"},{"reference_url":"https://github.com/pnpm/pnpm/releases/tag/v8.6.8","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-10T15:26:22Z/"}],"url":"https://github.com/pnpm/pnpm/releases/tag/v8.6.8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-37478","reference_id":"CVE-2023-37478","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-37478"},{"reference_url":"https://github.com/advisories/GHSA-5r98-f33j-g8h7","reference_id":"GHSA-5r98-f33j-g8h7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5r98-f33j-g8h7"},{"reference_url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-5r98-f33j-g8h7","reference_id":"GHSA-5r98-f33j-g8h7","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-10T15:26:22Z/"}],"url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-5r98-f33j-g8h7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/65232?format=json","purl":"pkg:npm/pnpm@7.33.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1akr-h98b-s3h8"},{"vulnerability":"VCID-2296-5a4n-53aj"},{"vulnerability":"VCID-6432-q5c6-w7hv"},{"vulnerability":"VCID-aqjh-jsfq-efe7"},{"vulnerability":"VCID-d9w9-6b2g-y7ba"},{"vulnerability":"VCID-s3ds-9qh7-eyfx"},{"vulnerability":"VCID-s9kc-j8ac-9kch"},{"vulnerability":"VCID-v4hg-dksc-bbbn"},{"vulnerability":"VCID-vpna-z26q-63cx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@7.33.4"},{"url":"http://public2.vulnerablecode.io/api/packages/65233?format=json","purl":"pkg:npm/pnpm@8.6.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1akr-h98b-s3h8"},{"vulnerability":"VCID-2296-5a4n-53aj"},{"vulnerability":"VCID-6432-q5c6-w7hv"},{"vulnerability":"VCID-aqjh-jsfq-efe7"},{"vulnerability":"VCID-d9w9-6b2g-y7ba"},{"vulnerability":"VCID-s3ds-9qh7-eyfx"},{"vulnerability":"VCID-s9kc-j8ac-9kch"},{"vulnerability":"VCID-v4hg-dksc-bbbn"},{"vulnerability":"VCID-vpna-z26q-63cx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@8.6.8"}],"aliases":["CVE-2023-37478","GHSA-5r98-f33j-g8h7"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4qts-drt3-eufs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/22258?format=json","vulnerability_id":"VCID-6432-q5c6-w7hv","summary":"pnpm has symlink traversal in file:/git dependencies\nWhen pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) causes pnpm to copy that file's contents into `node_modules`, leaking local data.\n\n**Preconditions:** Only affects `file:` and `git:` dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affected.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24056.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24056.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24056","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.0284","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24056"},{"reference_url":"https://github.com/pnpm/pnpm","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"6.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pnpm/pnpm"},{"reference_url":"https://github.com/pnpm/pnpm/commit/b277b45bc35ae77ca72d7634d144bbd58a48b70f","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"6.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:16Z/"}],"url":"https://github.com/pnpm/pnpm/commit/b277b45bc35ae77ca72d7634d144bbd58a48b70f"},{"reference_url":"https://github.com/pnpm/pnpm/releases/tag/v10.28.2","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"6.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:16Z/"}],"url":"https://github.com/pnpm/pnpm/releases/tag/v10.28.2"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2433605","reference_id":"2433605","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2433605"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24056","reference_id":"CVE-2026-24056","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"6.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24056"},{"reference_url":"https://github.com/advisories/GHSA-m733-5w8f-5ggw","reference_id":"GHSA-m733-5w8f-5ggw","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m733-5w8f-5ggw"},{"reference_url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-m733-5w8f-5ggw","reference_id":"GHSA-m733-5w8f-5ggw","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:16Z/"}],"url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-m733-5w8f-5ggw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/72414?format=json","purl":"pkg:npm/pnpm@10.28.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.28.2"},{"url":"http://public2.vulnerablecode.io/api/packages/902868?format=json","purl":"pkg:npm/pnpm@11.0.0-alpha.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@11.0.0-alpha.0"}],"aliases":["CVE-2026-24056","GHSA-m733-5w8f-5ggw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6432-q5c6-w7hv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/15368?format=json","vulnerability_id":"VCID-8xm2-fbvy-j7es","summary":"Untrusted Search Path\nPNPM v6.15.1 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute PNPM commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-26183","reference_id":"","reference_type":"","scores":[{"value":"0.00642","scoring_system":"epss","scoring_elements":"0.70953","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-26183"},{"reference_url":"https://github.com/pnpm/pnpm","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pnpm/pnpm"},{"reference_url":"https://github.com/pnpm/pnpm/commit/04b7f60861ddee8331e50d70e193d1e701abeefb","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pnpm/pnpm/commit/04b7f60861ddee8331e50d70e193d1e701abeefb"},{"reference_url":"https://github.com/pnpm/pnpm/releases/tag/v6.15.1","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pnpm/pnpm/releases/tag/v6.15.1"},{"reference_url":"https://www.sonarsource.com/blog/securing-developer-tools-package-managers","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.sonarsource.com/blog/securing-developer-tools-package-managers"},{"reference_url":"https://www.sonarsource.com/blog/securing-developer-tools-package-managers/","reference_id":"","reference_type":"","scores":[],"url":"https://www.sonarsource.com/blog/securing-developer-tools-package-managers/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-26183","reference_id":"CVE-2022-26183","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-26183"},{"reference_url":"https://github.com/advisories/GHSA-9m87-6fj3-c5xh","reference_id":"GHSA-9m87-6fj3-c5xh","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9m87-6fj3-c5xh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60028?format=json","purl":"pkg:npm/pnpm@6.15.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1akr-h98b-s3h8"},{"vulnerability":"VCID-2296-5a4n-53aj"},{"vulnerability":"VCID-4qts-drt3-eufs"},{"vulnerability":"VCID-6432-q5c6-w7hv"},{"vulnerability":"VCID-aqjh-jsfq-efe7"},{"vulnerability":"VCID-s3ds-9qh7-eyfx"},{"vulnerability":"VCID-s9kc-j8ac-9kch"},{"vulnerability":"VCID-v4hg-dksc-bbbn"},{"vulnerability":"VCID-vpna-z26q-63cx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@6.15.1"}],"aliases":["CVE-2022-26183","GHSA-9m87-6fj3-c5xh"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8xm2-fbvy-j7es"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/22242?format=json","vulnerability_id":"VCID-aqjh-jsfq-efe7","summary":"pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)\nA path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) Malicious ZIP entries containing `../` or absolute paths that escape the extraction root via AdmZip's `extractAllTo`, and (2) The `BinaryResolution.prefix` field is concatenated into the extraction path without validation, allowing a crafted prefix like `../../evil` to redirect extracted files outside `targetDir`.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23888.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23888.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23888","reference_id":"","reference_type":"","scores":[{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.06053","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23888"},{"reference_url":"https://github.com/pnpm/pnpm","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pnpm/pnpm"},{"reference_url":"https://github.com/pnpm/pnpm/commit/5c382f0ca3b7cc49963b94677426e66539dcb3f5","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:40:56Z/"}],"url":"https://github.com/pnpm/pnpm/commit/5c382f0ca3b7cc49963b94677426e66539dcb3f5"},{"reference_url":"https://github.com/pnpm/pnpm/releases/tag/v10.28.1","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:40:56Z/"}],"url":"https://github.com/pnpm/pnpm/releases/tag/v10.28.1"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2433095","reference_id":"2433095","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2433095"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23888","reference_id":"CVE-2026-23888","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23888"},{"reference_url":"https://github.com/advisories/GHSA-6pfh-p556-v868","reference_id":"GHSA-6pfh-p556-v868","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6pfh-p556-v868"},{"reference_url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-6pfh-p556-v868","reference_id":"GHSA-6pfh-p556-v868","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:40:56Z/"}],"url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-6pfh-p556-v868"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/72396?format=json","purl":"pkg:npm/pnpm@10.28.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6432-q5c6-w7hv"},{"vulnerability":"VCID-vpna-z26q-63cx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.28.1"}],"aliases":["CVE-2026-23888","GHSA-6pfh-p556-v868"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-aqjh-jsfq-efe7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/22251?format=json","vulnerability_id":"VCID-s3ds-9qh7-eyfx","summary":"pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin\nA path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23890.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23890.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23890","reference_id":"","reference_type":"","scores":[{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.06053","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23890"},{"reference_url":"https://github.com/pnpm/pnpm","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pnpm/pnpm"},{"reference_url":"https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:49Z/"}],"url":"https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d"},{"reference_url":"https://github.com/pnpm/pnpm/releases/tag/v10.28.1","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:49Z/"}],"url":"https://github.com/pnpm/pnpm/releases/tag/v10.28.1"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2433090","reference_id":"2433090","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2433090"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23890","reference_id":"CVE-2026-23890","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23890"},{"reference_url":"https://github.com/advisories/GHSA-xpqm-wm3m-f34h","reference_id":"GHSA-xpqm-wm3m-f34h","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xpqm-wm3m-f34h"},{"reference_url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h","reference_id":"GHSA-xpqm-wm3m-f34h","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:49Z/"}],"url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/72396?format=json","purl":"pkg:npm/pnpm@10.28.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6432-q5c6-w7hv"},{"vulnerability":"VCID-vpna-z26q-63cx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.28.1"}],"aliases":["CVE-2026-23890","GHSA-xpqm-wm3m-f34h"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s3ds-9qh7-eyfx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/22012?format=json","vulnerability_id":"VCID-s9kc-j8ac-9kch","summary":"pnpm Has Lockfile Integrity Bypass that Allows Remote Dynamic Dependencies\nHTTP tarball dependencies (and git-hosted tarballs) are stored in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69263.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69263.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-69263","reference_id":"","reference_type":"","scores":[{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03527","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-69263"},{"reference_url":"https://github.com/pnpm/pnpm","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pnpm/pnpm"},{"reference_url":"https://github.com/pnpm/pnpm/commit/0958027f88a99ccefe7e9676cdebba393dfbdc85","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-09T04:55:27Z/"}],"url":"https://github.com/pnpm/pnpm/commit/0958027f88a99ccefe7e9676cdebba393dfbdc85"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2427703","reference_id":"2427703","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2427703"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-69263","reference_id":"CVE-2025-69263","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-69263"},{"reference_url":"https://github.com/advisories/GHSA-7vhp-vf5g-r2fw","reference_id":"GHSA-7vhp-vf5g-r2fw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7vhp-vf5g-r2fw"},{"reference_url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-7vhp-vf5g-r2fw","reference_id":"GHSA-7vhp-vf5g-r2fw","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-09T04:55:27Z/"}],"url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-7vhp-vf5g-r2fw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/72015?format=json","purl":"pkg:npm/pnpm@10.26.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1akr-h98b-s3h8"},{"vulnerability":"VCID-6432-q5c6-w7hv"},{"vulnerability":"VCID-aqjh-jsfq-efe7"},{"vulnerability":"VCID-d9w9-6b2g-y7ba"},{"vulnerability":"VCID-s3ds-9qh7-eyfx"},{"vulnerability":"VCID-vpna-z26q-63cx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.26.0"}],"aliases":["CVE-2025-69263","GHSA-7vhp-vf5g-r2fw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s9kc-j8ac-9kch"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/265953?format=json","vulnerability_id":"VCID-v4hg-dksc-bbbn","summary":"","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47829.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47829.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47829","reference_id":"","reference_type":"","scores":[{"value":"0.00187","scoring_system":"epss","scoring_elements":"0.40356","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47829"},{"reference_url":"https://github.com/pnpm/pnpm","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pnpm/pnpm"},{"reference_url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-8cc4-rfj6-fhg4","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T16:07:35Z/"}],"url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-8cc4-rfj6-fhg4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47829","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47829"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2361884","reference_id":"2361884","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2361884"},{"reference_url":"https://github.com/advisories/GHSA-8cc4-rfj6-fhg4","reference_id":"GHSA-8cc4-rfj6-fhg4","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-8cc4-rfj6-fhg4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/72026?format=json","purl":"pkg:npm/pnpm@10.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1akr-h98b-s3h8"},{"vulnerability":"VCID-6432-q5c6-w7hv"},{"vulnerability":"VCID-aqjh-jsfq-efe7"},{"vulnerability":"VCID-d9w9-6b2g-y7ba"},{"vulnerability":"VCID-qm7g-batt-wqer"},{"vulnerability":"VCID-s3ds-9qh7-eyfx"},{"vulnerability":"VCID-s9kc-j8ac-9kch"},{"vulnerability":"VCID-vpna-z26q-63cx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.0.0"}],"aliases":["CVE-2024-47829","GHSA-8cc4-rfj6-fhg4"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v4hg-dksc-bbbn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/22262?format=json","vulnerability_id":"VCID-vpna-z26q-63cx","summary":"pnpm has Path Traversal via arbitrary file permission modification\nWhen pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `\"directories\": {\"bin\": \"../../../../tmp\"}` to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations.\n\n**Note:** Only affects Unix/Linux/macOS. Windows is not affected (`fixBin` gated by `EXECUTABLE_SHEBANG_SUPPORTED`).","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24131.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24131.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24131","reference_id":"","reference_type":"","scores":[{"value":"7e-05","scoring_system":"epss","scoring_elements":"0.00652","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24131"},{"reference_url":"https://github.com/pnpm/pnpm","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pnpm/pnpm"},{"reference_url":"https://github.com/pnpm/pnpm/commit/17432ad5bbed5c2e77255ca6d56a1449bbcfd943","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:37:39Z/"}],"url":"https://github.com/pnpm/pnpm/commit/17432ad5bbed5c2e77255ca6d56a1449bbcfd943"},{"reference_url":"https://github.com/pnpm/pnpm/releases/tag/v10.28.2","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:37:39Z/"}],"url":"https://github.com/pnpm/pnpm/releases/tag/v10.28.2"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2433115","reference_id":"2433115","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2433115"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24131","reference_id":"CVE-2026-24131","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24131"},{"reference_url":"https://github.com/advisories/GHSA-v253-rj99-jwpq","reference_id":"GHSA-v253-rj99-jwpq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v253-rj99-jwpq"},{"reference_url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-v253-rj99-jwpq","reference_id":"GHSA-v253-rj99-jwpq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:37:39Z/"}],"url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-v253-rj99-jwpq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/72414?format=json","purl":"pkg:npm/pnpm@10.28.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.28.2"},{"url":"http://public2.vulnerablecode.io/api/packages/902868?format=json","purl":"pkg:npm/pnpm@11.0.0-alpha.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@11.0.0-alpha.0"}],"aliases":["CVE-2026-24131","GHSA-v253-rj99-jwpq"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vpna-z26q-63cx"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@6.2.2-20210426"}