{"url":"http://public2.vulnerablecode.io/api/packages/545821?format=json","purl":"pkg:npm/pnpm@5.0.0-rc.1","type":"npm","namespace":"","name":"pnpm","version":"5.0.0-rc.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"10.28.2","latest_non_vulnerable_version":"11.0.0-alpha.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/21686?format=json","vulnerability_id":"VCID-5hux-erzs-vkfb","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-53866","reference_id":"","reference_type":"","scores":[{"value":"0.01415","scoring_system":"epss","scoring_elements":"0.80978","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-53866"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/pnpm/pnpm","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pnpm/pnpm"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53866","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53866"},{"reference_url":"https://github.com/pnpm/pnpm/commit/11afcddea48f25ed5117a87dc1780a55222b9743","reference_id":"11afcddea48f25ed5117a87dc1780a55222b9743","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-11T17:11:58Z/"}],"url":"https://github.com/pnpm/pnpm/commit/11afcddea48f25ed5117a87dc1780a55222b9743"},{"reference_url":"https://github.com/advisories/GHSA-vm32-9rqf-rh3r","reference_id":"GHSA-vm32-9rqf-rh3r","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-vm32-9rqf-rh3r"},{"reference_url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-vm32-9rqf-rh3r","reference_id":"GHSA-vm32-9rqf-rh3r","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-11T17:11:58Z/"}],"url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-vm32-9rqf-rh3r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372484?format=json","purl":"pkg:npm/pnpm@9.15.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8a2j-f9cz-1kav"},{"vulnerability":"VCID-che8-5n7s-sqeq"},{"vulnerability":"VCID-fsge-arhh-ekh3"},{"vulnerability":"VCID-jd55-xw7a-ebev"},{"vulnerability":"VCID-nntm-h1md-dffv"},{"vulnerability":"VCID-sf1s-d3sy-3yh4"},{"vulnerability":"VCID-vxqv-gju3-43g9"},{"vulnerability":"VCID-wbvf-6crf-67fx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@9.15.0"}],"aliases":["CVE-2024-53866","GHSA-vm32-9rqf-rh3r"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5hux-erzs-vkfb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/208581?format=json","vulnerability_id":"VCID-6mer-khd9-mfam","summary":"Untrusted Search Path in PNPM","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-26183","reference_id":"","reference_type":"","scores":[{"value":"0.00642","scoring_system":"epss","scoring_elements":"0.71108","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-26183"},{"reference_url":"https://github.com/pnpm/pnpm","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pnpm/pnpm"},{"reference_url":"https://github.com/pnpm/pnpm/commit/04b7f60861ddee8331e50d70e193d1e701abeefb","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pnpm/pnpm/commit/04b7f60861ddee8331e50d70e193d1e701abeefb"},{"reference_url":"https://github.com/pnpm/pnpm/releases/tag/v6.15.1","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pnpm/pnpm/releases/tag/v6.15.1"},{"reference_url":"https://www.sonarsource.com/blog/securing-developer-tools-package-managers","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.sonarsource.com/blog/securing-developer-tools-package-managers"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-26183","reference_id":"CVE-2022-26183","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-26183"},{"reference_url":"https://github.com/advisories/GHSA-9m87-6fj3-c5xh","reference_id":"GHSA-9m87-6fj3-c5xh","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9m87-6fj3-c5xh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/19831?format=json","purl":"pkg:npm/pnpm@6.15.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5hux-erzs-vkfb"},{"vulnerability":"VCID-8a2j-f9cz-1kav"},{"vulnerability":"VCID-che8-5n7s-sqeq"},{"vulnerability":"VCID-fsge-arhh-ekh3"},{"vulnerability":"VCID-jd55-xw7a-ebev"},{"vulnerability":"VCID-ngd9-hs2s-sbbn"},{"vulnerability":"VCID-nntm-h1md-dffv"},{"vulnerability":"VCID-sf1s-d3sy-3yh4"},{"vulnerability":"VCID-wbvf-6crf-67fx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@6.15.1"}],"aliases":["CVE-2022-26183","GHSA-9m87-6fj3-c5xh"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6mer-khd9-mfam"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57605?format=json","vulnerability_id":"VCID-8a2j-f9cz-1kav","summary":"pnpm is a package manager. Prior to version 10.0.0, the path shortening function uses the md5 function as a path shortening compression function, and if a collision occurs, it will result in the same storage path for two different libraries. Although the real names are under the package name /node_modoules/, there are no version numbers for the libraries they refer to. This issue has been patched in version 10.0.0.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47829.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47829.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47829","reference_id":"","reference_type":"","scores":[{"value":"0.00063","scoring_system":"epss","scoring_elements":"0.19802","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47829"},{"reference_url":"https://github.com/pnpm/pnpm","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pnpm/pnpm"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47829","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47829"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2361884","reference_id":"2361884","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2361884"},{"reference_url":"https://github.com/advisories/GHSA-8cc4-rfj6-fhg4","reference_id":"GHSA-8cc4-rfj6-fhg4","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-8cc4-rfj6-fhg4"},{"reference_url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-8cc4-rfj6-fhg4","reference_id":"GHSA-8cc4-rfj6-fhg4","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T16:07:35Z/"}],"url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-8cc4-rfj6-fhg4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36589?format=json","purl":"pkg:npm/pnpm@10.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-che8-5n7s-sqeq"},{"vulnerability":"VCID-fsge-arhh-ekh3"},{"vulnerability":"VCID-g6u9-b6us-fuhq"},{"vulnerability":"VCID-jd55-xw7a-ebev"},{"vulnerability":"VCID-nntm-h1md-dffv"},{"vulnerability":"VCID-sf1s-d3sy-3yh4"},{"vulnerability":"VCID-vxqv-gju3-43g9"},{"vulnerability":"VCID-wbvf-6crf-67fx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.0.0"}],"aliases":["CVE-2024-47829","GHSA-8cc4-rfj6-fhg4"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8a2j-f9cz-1kav"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/123561?format=json","vulnerability_id":"VCID-che8-5n7s-sqeq","summary":"pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package with an HTTP tarball dependency can serve different code to different users or CI/CD environments. The attack requires the victim to install a package that has an HTTP/git tarball in its dependency tree. The victim's lockfile provides no protection. This issue is fixed in version 10.26.0.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69263.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69263.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-69263","reference_id":"","reference_type":"","scores":[{"value":"9e-05","scoring_system":"epss","scoring_elements":"0.0097","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-69263"},{"reference_url":"https://github.com/pnpm/pnpm","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pnpm/pnpm"},{"reference_url":"https://github.com/pnpm/pnpm/commit/0958027f88a99ccefe7e9676cdebba393dfbdc85","reference_id":"0958027f88a99ccefe7e9676cdebba393dfbdc85","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-09T04:55:27Z/"}],"url":"https://github.com/pnpm/pnpm/commit/0958027f88a99ccefe7e9676cdebba393dfbdc85"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2427703","reference_id":"2427703","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2427703"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-69263","reference_id":"CVE-2025-69263","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-69263"},{"reference_url":"https://github.com/advisories/GHSA-7vhp-vf5g-r2fw","reference_id":"GHSA-7vhp-vf5g-r2fw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7vhp-vf5g-r2fw"},{"reference_url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-7vhp-vf5g-r2fw","reference_id":"GHSA-7vhp-vf5g-r2fw","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-09T04:55:27Z/"}],"url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-7vhp-vf5g-r2fw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36588?format=json","purl":"pkg:npm/pnpm@10.26.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fsge-arhh-ekh3"},{"vulnerability":"VCID-jd55-xw7a-ebev"},{"vulnerability":"VCID-nntm-h1md-dffv"},{"vulnerability":"VCID-sf1s-d3sy-3yh4"},{"vulnerability":"VCID-vxqv-gju3-43g9"},{"vulnerability":"VCID-wbvf-6crf-67fx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.26.0"}],"aliases":["CVE-2025-69263","GHSA-7vhp-vf5g-r2fw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-che8-5n7s-sqeq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66890?format=json","vulnerability_id":"VCID-fsge-arhh-ekh3","summary":"pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.\\`. On Windows, backslashes are directory separators, enabling path traversal. This vulnerability is Windows-only. This issue impacts Windows pnpm users and Windows CI/CD pipelines (GitHub Actions Windows runners, Azure DevOps). It can lead to overwriting `.npmrc`, build configs, or other files. Version 10.28.1 contains a patch.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23889.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23889.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23889","reference_id":"","reference_type":"","scores":[{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05897","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23889"},{"reference_url":"https://github.com/pnpm/pnpm","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pnpm/pnpm"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2433093","reference_id":"2433093","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2433093"},{"reference_url":"https://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0","reference_id":"6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:40:27Z/"}],"url":"https://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23889","reference_id":"CVE-2026-23889","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23889"},{"reference_url":"https://github.com/advisories/GHSA-6x96-7vc8-cm3p","reference_id":"GHSA-6x96-7vc8-cm3p","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6x96-7vc8-cm3p"},{"reference_url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p","reference_id":"GHSA-6x96-7vc8-cm3p","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:40:27Z/"}],"url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p"},{"reference_url":"https://github.com/pnpm/pnpm/releases/tag/v10.28.1","reference_id":"v10.28.1","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:40:27Z/"}],"url":"https://github.com/pnpm/pnpm/releases/tag/v10.28.1"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38166?format=json","purl":"pkg:npm/pnpm@10.28.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-jd55-xw7a-ebev"},{"vulnerability":"VCID-wbvf-6crf-67fx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.28.1"}],"aliases":["CVE-2026-23889","GHSA-6x96-7vc8-cm3p"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fsge-arhh-ekh3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/82994?format=json","vulnerability_id":"VCID-jd55-xw7a-ebev","summary":"pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) causes pnpm to copy that file's contents into `node_modules`, leaking local data. The vulnerability only affects `file:` and `git:` dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affected. The issue impacts developers installing local/file dependencies andCI/CD pipelines installing git dependencies. It can lead to credential theft via symlinks to `~/.aws/credentials`, `~/.npmrc`, `~/.ssh/id_rsa`. Version 10.28.2 contains a patch.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24056.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24056.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24056","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02694","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24056"},{"reference_url":"https://github.com/pnpm/pnpm","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"6.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pnpm/pnpm"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2433605","reference_id":"2433605","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2433605"},{"reference_url":"https://github.com/pnpm/pnpm/commit/b277b45bc35ae77ca72d7634d144bbd58a48b70f","reference_id":"b277b45bc35ae77ca72d7634d144bbd58a48b70f","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"6.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:16Z/"}],"url":"https://github.com/pnpm/pnpm/commit/b277b45bc35ae77ca72d7634d144bbd58a48b70f"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24056","reference_id":"CVE-2026-24056","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"6.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24056"},{"reference_url":"https://github.com/advisories/GHSA-m733-5w8f-5ggw","reference_id":"GHSA-m733-5w8f-5ggw","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m733-5w8f-5ggw"},{"reference_url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-m733-5w8f-5ggw","reference_id":"GHSA-m733-5w8f-5ggw","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:16Z/"}],"url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-m733-5w8f-5ggw"},{"reference_url":"https://github.com/pnpm/pnpm/releases/tag/v10.28.2","reference_id":"v10.28.2","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"6.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:16Z/"}],"url":"https://github.com/pnpm/pnpm/releases/tag/v10.28.2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38165?format=json","purl":"pkg:npm/pnpm@10.28.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.28.2"},{"url":"http://public2.vulnerablecode.io/api/packages/932793?format=json","purl":"pkg:npm/pnpm@11.0.0-alpha.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@11.0.0-alpha.0"}],"aliases":["CVE-2026-24056","GHSA-m733-5w8f-5ggw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jd55-xw7a-ebev"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/15638?format=json","vulnerability_id":"VCID-ngd9-hs2s-sbbn","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-37478","reference_id":"","reference_type":"","scores":[{"value":"0.02299","scoring_system":"epss","scoring_elements":"0.85087","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-37478"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/pnpm/pnpm","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pnpm/pnpm"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-37478","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-37478"},{"reference_url":"https://github.com/advisories/GHSA-5r98-f33j-g8h7","reference_id":"GHSA-5r98-f33j-g8h7","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-5r98-f33j-g8h7"},{"reference_url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-5r98-f33j-g8h7","reference_id":"GHSA-5r98-f33j-g8h7","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-10T15:26:22Z/"}],"url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-5r98-f33j-g8h7"},{"reference_url":"https://github.com/pnpm/pnpm/releases/tag/v7.33.4","reference_id":"v7.33.4","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-10T15:26:22Z/"}],"url":"https://github.com/pnpm/pnpm/releases/tag/v7.33.4"},{"reference_url":"https://github.com/pnpm/pnpm/releases/tag/v8.6.8","reference_id":"v8.6.8","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-10T15:26:22Z/"}],"url":"https://github.com/pnpm/pnpm/releases/tag/v8.6.8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/380685?format=json","purl":"pkg:npm/pnpm@7.33.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5hux-erzs-vkfb"},{"vulnerability":"VCID-8a2j-f9cz-1kav"},{"vulnerability":"VCID-che8-5n7s-sqeq"},{"vulnerability":"VCID-fsge-arhh-ekh3"},{"vulnerability":"VCID-jd55-xw7a-ebev"},{"vulnerability":"VCID-nntm-h1md-dffv"},{"vulnerability":"VCID-sf1s-d3sy-3yh4"},{"vulnerability":"VCID-vxqv-gju3-43g9"},{"vulnerability":"VCID-wbvf-6crf-67fx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@7.33.4"},{"url":"http://public2.vulnerablecode.io/api/packages/380694?format=json","purl":"pkg:npm/pnpm@8.6.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5hux-erzs-vkfb"},{"vulnerability":"VCID-8a2j-f9cz-1kav"},{"vulnerability":"VCID-che8-5n7s-sqeq"},{"vulnerability":"VCID-fsge-arhh-ekh3"},{"vulnerability":"VCID-jd55-xw7a-ebev"},{"vulnerability":"VCID-nntm-h1md-dffv"},{"vulnerability":"VCID-sf1s-d3sy-3yh4"},{"vulnerability":"VCID-vxqv-gju3-43g9"},{"vulnerability":"VCID-wbvf-6crf-67fx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@8.6.8"}],"aliases":["CVE-2023-37478","GHSA-5r98-f33j-g8h7"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ngd9-hs2s-sbbn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66915?format=json","vulnerability_id":"VCID-nntm-h1md-dffv","summary":"pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact. This issue affects all pnpm users who install npm packages and CI/CD pipelines using pnpm. It can lead to overwriting config files, scripts, or other sensitive files. Version 10.28.1 contains a patch.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23890.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23890.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23890","reference_id":"","reference_type":"","scores":[{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05897","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23890"},{"reference_url":"https://github.com/pnpm/pnpm","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pnpm/pnpm"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2433090","reference_id":"2433090","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2433090"},{"reference_url":"https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d","reference_id":"8afbb1598445d37985d91fda18abb4795ae5062d","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:49Z/"}],"url":"https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23890","reference_id":"CVE-2026-23890","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23890"},{"reference_url":"https://github.com/advisories/GHSA-xpqm-wm3m-f34h","reference_id":"GHSA-xpqm-wm3m-f34h","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xpqm-wm3m-f34h"},{"reference_url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h","reference_id":"GHSA-xpqm-wm3m-f34h","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:49Z/"}],"url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h"},{"reference_url":"https://github.com/pnpm/pnpm/releases/tag/v10.28.1","reference_id":"v10.28.1","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:49Z/"}],"url":"https://github.com/pnpm/pnpm/releases/tag/v10.28.1"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38166?format=json","purl":"pkg:npm/pnpm@10.28.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-jd55-xw7a-ebev"},{"vulnerability":"VCID-wbvf-6crf-67fx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.28.1"}],"aliases":["CVE-2026-23890","GHSA-xpqm-wm3m-f34h"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nntm-h1md-dffv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66668?format=json","vulnerability_id":"VCID-sf1s-d3sy-3yh4","summary":"pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) Malicious ZIP entries containing `../` or absolute paths that escape the extraction root via AdmZip's `extractAllTo`, and (2) The `BinaryResolution.prefix` field is concatenated into the extraction path without validation, allowing a crafted prefix like `../../evil` to redirect extracted files outside `targetDir`. The issue impacts all pnpm users who install packages with binary assets, users who configure custom Node.js binary locations and CI/CD pipelines that auto-install binary dependencies. It can lead to overwriting config files, scripts, or other sensitive files leading to RCE. Version 10.28.1 contains a patch.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23888.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23888.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23888","reference_id":"","reference_type":"","scores":[{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05897","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23888"},{"reference_url":"https://github.com/pnpm/pnpm","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pnpm/pnpm"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2433095","reference_id":"2433095","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2433095"},{"reference_url":"https://github.com/pnpm/pnpm/commit/5c382f0ca3b7cc49963b94677426e66539dcb3f5","reference_id":"5c382f0ca3b7cc49963b94677426e66539dcb3f5","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:40:56Z/"}],"url":"https://github.com/pnpm/pnpm/commit/5c382f0ca3b7cc49963b94677426e66539dcb3f5"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23888","reference_id":"CVE-2026-23888","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23888"},{"reference_url":"https://github.com/advisories/GHSA-6pfh-p556-v868","reference_id":"GHSA-6pfh-p556-v868","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6pfh-p556-v868"},{"reference_url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-6pfh-p556-v868","reference_id":"GHSA-6pfh-p556-v868","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:40:56Z/"}],"url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-6pfh-p556-v868"},{"reference_url":"https://github.com/pnpm/pnpm/releases/tag/v10.28.1","reference_id":"v10.28.1","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:40:56Z/"}],"url":"https://github.com/pnpm/pnpm/releases/tag/v10.28.1"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38166?format=json","purl":"pkg:npm/pnpm@10.28.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-jd55-xw7a-ebev"},{"vulnerability":"VCID-wbvf-6crf-67fx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.28.1"}],"aliases":["CVE-2026-23888","GHSA-6pfh-p556-v868"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sf1s-d3sy-3yh4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/82697?format=json","vulnerability_id":"VCID-wbvf-6crf-67fx","summary":"pnpm is a package manager. Prior to version 10.28.2, when pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `\"directories\": {\"bin\": \"../../../../tmp\"}` to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations. This issue only affects Unix/Linux/macOS. Windows is not affected (`fixBin` gated by `EXECUTABLE_SHEBANG_SUPPORTED`). Version 10.28.2 contains a patch.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24131.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24131.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24131","reference_id":"","reference_type":"","scores":[{"value":"7e-05","scoring_system":"epss","scoring_elements":"0.00644","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24131"},{"reference_url":"https://github.com/pnpm/pnpm","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pnpm/pnpm"},{"reference_url":"https://github.com/pnpm/pnpm/commit/17432ad5bbed5c2e77255ca6d56a1449bbcfd943","reference_id":"17432ad5bbed5c2e77255ca6d56a1449bbcfd943","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:37:39Z/"}],"url":"https://github.com/pnpm/pnpm/commit/17432ad5bbed5c2e77255ca6d56a1449bbcfd943"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2433115","reference_id":"2433115","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2433115"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24131","reference_id":"CVE-2026-24131","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24131"},{"reference_url":"https://github.com/advisories/GHSA-v253-rj99-jwpq","reference_id":"GHSA-v253-rj99-jwpq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v253-rj99-jwpq"},{"reference_url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-v253-rj99-jwpq","reference_id":"GHSA-v253-rj99-jwpq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:37:39Z/"}],"url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-v253-rj99-jwpq"},{"reference_url":"https://github.com/pnpm/pnpm/releases/tag/v10.28.2","reference_id":"v10.28.2","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:37:39Z/"}],"url":"https://github.com/pnpm/pnpm/releases/tag/v10.28.2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38165?format=json","purl":"pkg:npm/pnpm@10.28.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.28.2"},{"url":"http://public2.vulnerablecode.io/api/packages/932793?format=json","purl":"pkg:npm/pnpm@11.0.0-alpha.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@11.0.0-alpha.0"}],"aliases":["CVE-2026-24131","GHSA-v253-rj99-jwpq"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wbvf-6crf-67fx"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@5.0.0-rc.1"}