Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/pnpm@0.60.2
Typenpm
Namespace
Namepnpm
Version0.60.2
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version10.28.2
Latest_non_vulnerable_version11.0.0-alpha.0
Affected_by_vulnerabilities
0
url VCID-5p8u-1r5s-6qbz
vulnerability_id VCID-5p8u-1r5s-6qbz
summary 
pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)
A path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) Malicious ZIP entries containing `../` or absolute paths that escape the extraction root via AdmZip's `extractAllTo`, and (2) The `BinaryResolution.prefix` field is concatenated into the extraction path without validation, allowing a crafted prefix like `../../evil` to redirect extracted files outside `targetDir`.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23888.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23888.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-23888
reference_id
reference_type
scores
0
value 0.0002
scoring_system epss
scoring_elements 0.05827
published_at 2026-06-08T12:55:00Z
1
value 0.0002
scoring_system epss
scoring_elements 0.05879
published_at 2026-06-05T12:55:00Z
2
value 0.0002
scoring_system epss
scoring_elements 0.0587
published_at 2026-06-06T12:55:00Z
3
value 0.0002
scoring_system epss
scoring_elements 0.05872
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-23888
2
reference_url https://github.com/pnpm/pnpm
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pnpm/pnpm
3
reference_url https://github.com/pnpm/pnpm/commit/5c382f0ca3b7cc49963b94677426e66539dcb3f5
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:40:56Z/
url https://github.com/pnpm/pnpm/commit/5c382f0ca3b7cc49963b94677426e66539dcb3f5
4
reference_url https://github.com/pnpm/pnpm/releases/tag/v10.28.1
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:40:56Z/
url https://github.com/pnpm/pnpm/releases/tag/v10.28.1
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2433095
reference_id 2433095
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2433095
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23888
reference_id CVE-2026-23888
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23888
7
reference_url https://github.com/advisories/GHSA-6pfh-p556-v868
reference_id GHSA-6pfh-p556-v868
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6pfh-p556-v868
8
reference_url https://github.com/pnpm/pnpm/security/advisories/GHSA-6pfh-p556-v868
reference_id GHSA-6pfh-p556-v868
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:40:56Z/
url https://github.com/pnpm/pnpm/security/advisories/GHSA-6pfh-p556-v868
fixed_packages
0
url pkg:npm/pnpm@10.28.1
purl pkg:npm/pnpm@10.28.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-78bz-kqa9-uuft
1
vulnerability VCID-f6mh-kk89-8fh6
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.28.1
aliases CVE-2026-23888, GHSA-6pfh-p556-v868
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5p8u-1r5s-6qbz
1
url VCID-5yt8-uzxj-vub4
vulnerability_id VCID-5yt8-uzxj-vub4
summary 
pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin
A path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23890.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23890.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-23890
reference_id
reference_type
scores
0
value 0.0002
scoring_system epss
scoring_elements 0.05827
published_at 2026-06-08T12:55:00Z
1
value 0.0002
scoring_system epss
scoring_elements 0.05879
published_at 2026-06-05T12:55:00Z
2
value 0.0002
scoring_system epss
scoring_elements 0.0587
published_at 2026-06-06T12:55:00Z
3
value 0.0002
scoring_system epss
scoring_elements 0.05872
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-23890
2
reference_url https://github.com/pnpm/pnpm
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pnpm/pnpm
3
reference_url https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:49Z/
url https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d
4
reference_url https://github.com/pnpm/pnpm/releases/tag/v10.28.1
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:49Z/
url https://github.com/pnpm/pnpm/releases/tag/v10.28.1
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2433090
reference_id 2433090
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2433090
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23890
reference_id CVE-2026-23890
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23890
7
reference_url https://github.com/advisories/GHSA-xpqm-wm3m-f34h
reference_id GHSA-xpqm-wm3m-f34h
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xpqm-wm3m-f34h
8
reference_url https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h
reference_id GHSA-xpqm-wm3m-f34h
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:49Z/
url https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h
fixed_packages
0
url pkg:npm/pnpm@10.28.1
purl pkg:npm/pnpm@10.28.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-78bz-kqa9-uuft
1
vulnerability VCID-f6mh-kk89-8fh6
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.28.1
aliases CVE-2026-23890, GHSA-xpqm-wm3m-f34h
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5yt8-uzxj-vub4
2
url VCID-78bz-kqa9-uuft
vulnerability_id VCID-78bz-kqa9-uuft
summary 
pnpm has symlink traversal in file:/git dependencies
When pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) causes pnpm to copy that file's contents into `node_modules`, leaking local data.

**Preconditions:** Only affects `file:` and `git:` dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affected.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24056.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24056.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-24056
reference_id
reference_type
scores
0
value 0.00014
scoring_system epss
scoring_elements 0.02701
published_at 2026-06-08T12:55:00Z
1
value 0.00014
scoring_system epss
scoring_elements 0.02765
published_at 2026-06-05T12:55:00Z
2
value 0.00014
scoring_system epss
scoring_elements 0.02772
published_at 2026-06-06T12:55:00Z
3
value 0.00014
scoring_system epss
scoring_elements 0.02718
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-24056
2
reference_url https://github.com/pnpm/pnpm
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
1
value 6.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pnpm/pnpm
3
reference_url https://github.com/pnpm/pnpm/commit/b277b45bc35ae77ca72d7634d144bbd58a48b70f
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
1
value 6.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:16Z/
url https://github.com/pnpm/pnpm/commit/b277b45bc35ae77ca72d7634d144bbd58a48b70f
4
reference_url https://github.com/pnpm/pnpm/releases/tag/v10.28.2
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
1
value 6.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:16Z/
url https://github.com/pnpm/pnpm/releases/tag/v10.28.2
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2433605
reference_id 2433605
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2433605
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-24056
reference_id CVE-2026-24056
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
1
value 6.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-24056
7
reference_url https://github.com/advisories/GHSA-m733-5w8f-5ggw
reference_id GHSA-m733-5w8f-5ggw
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-m733-5w8f-5ggw
8
reference_url https://github.com/pnpm/pnpm/security/advisories/GHSA-m733-5w8f-5ggw
reference_id GHSA-m733-5w8f-5ggw
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value 6.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:16Z/
url https://github.com/pnpm/pnpm/security/advisories/GHSA-m733-5w8f-5ggw
fixed_packages
0
url pkg:npm/pnpm@10.28.2
purl pkg:npm/pnpm@10.28.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.28.2
1
url pkg:npm/pnpm@11.0.0-alpha.0
purl pkg:npm/pnpm@11.0.0-alpha.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@11.0.0-alpha.0
aliases CVE-2026-24056, GHSA-m733-5w8f-5ggw
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-78bz-kqa9-uuft
3
url VCID-8bcw-h9nr-wffw
vulnerability_id VCID-8bcw-h9nr-wffw
summary 
pnpm uses the md5 path shortening function causes packet paths to coincide, which causes indirect packet overwriting
The path shortening function is used in pnpm:
```
export function depPathToFilename (depPath: string, maxLengthWithoutHash: number): string {
let filename = depPathToFilenameUnescaped(depPath).replace(/[\\/:*?"<>|]/g, '+')
if (filename.includes('(')) {
filename = filename
.replace(/\)$/, '')
.replace(/(\)\()|\(|\)/g, '_')
}
if (filename.length > maxLengthWithoutHash || filename !== filename.toLowerCase() && !filename.startsWith('file+')) {
return `${filename.substring(0, maxLengthWithoutHash - 27)}_${createBase32Hash(filename)}`
}
return filename
}
```
However, it uses the md5 function as a path shortening compression function, and if a collision occurs, it will result in the same storage path for two different libraries. Although the real names are under the package name /node_modoules/, there are no version numbers for the libraries they refer to.
![Schematic picture](https://github.com/user-attachments/assets/7b8b87ab-f297-47bd-a9dd-43be86e36ed2)
In the diagram, we assume that two packages are called packageA and packageB, and that the first 90 digits of their package names must be the same, and that the hash value of the package names with versions must be the same.  Then C is the package that they both reference, but with a different version number.  (npm allows package names up to 214 bytes, so constructing such a collision package name is obvious.)

Then hash(packageA@1.2.3)=hash(packageB@3.4.5).  This results in the same path for the installation, and thus under the same directory.  Although the package names under node_modoules are the full paths again, they are shared with C.
What is the exact version number of C?
In our local tests, it depends on which one is installed later.  If packageB is installed later, the C version number will change to 2.0.0.  At this time, although package A requires the C@1.0.0 version, package. json will only work during installation, and will not affect the actual operation.
We did not receive any installation error issues from pnpm during our local testing, nor did we use force, which is clearly a case that can be triggered.

For a package with a package name + version number longer than 120, another package can be constructed to introduce an indirect reference to a lower version, such as one with some known vulnerability.
Alternatively, it is possible to construct two packages with more than 120 package names + version numbers.
This is clearly an advantage for those intent on carrying out supply chain attacks.


The solution:
The repair cost is also very low, just need to upgrade the md5 function to sha256.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47829.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47829.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-47829
reference_id
reference_type
scores
0
value 0.00063
scoring_system epss
scoring_elements 0.19722
published_at 2026-06-09T12:55:00Z
1
value 0.00063
scoring_system epss
scoring_elements 0.19811
published_at 2026-06-05T12:55:00Z
2
value 0.00063
scoring_system epss
scoring_elements 0.19805
published_at 2026-06-06T12:55:00Z
3
value 0.00063
scoring_system epss
scoring_elements 0.19763
published_at 2026-06-07T12:55:00Z
4
value 0.00063
scoring_system epss
scoring_elements 0.19695
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-47829
2
reference_url https://github.com/pnpm/pnpm
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pnpm/pnpm
3
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2361884
reference_id 2361884
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2361884
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-47829
reference_id CVE-2024-47829
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-47829
5
reference_url https://github.com/advisories/GHSA-8cc4-rfj6-fhg4
reference_id GHSA-8cc4-rfj6-fhg4
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8cc4-rfj6-fhg4
6
reference_url https://github.com/pnpm/pnpm/security/advisories/GHSA-8cc4-rfj6-fhg4
reference_id GHSA-8cc4-rfj6-fhg4
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T16:07:35Z/
url https://github.com/pnpm/pnpm/security/advisories/GHSA-8cc4-rfj6-fhg4
fixed_packages
0
url pkg:npm/pnpm@10.0.0
purl pkg:npm/pnpm@10.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-19yz-vtve-a7eu
1
vulnerability VCID-54eu-x4xg-xqge
2
vulnerability VCID-5p8u-1r5s-6qbz
3
vulnerability VCID-5yt8-uzxj-vub4
4
vulnerability VCID-78bz-kqa9-uuft
5
vulnerability VCID-9yxm-kuxe-zbgg
6
vulnerability VCID-f6mh-kk89-8fh6
7
vulnerability VCID-txar-vsfq-9qeq
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.0.0
aliases CVE-2024-47829, GHSA-8cc4-rfj6-fhg4
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8bcw-h9nr-wffw
4
url VCID-91bz-7gcc-qfh6
vulnerability_id VCID-91bz-7gcc-qfh6
summary 
Untrusted Search Path
PNPM v6.15.1 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute PNPM commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-26183
reference_id
reference_type
scores
0
value 0.00642
scoring_system epss
scoring_elements 0.71006
published_at 2026-06-04T12:55:00Z
1
value 0.00642
scoring_system epss
scoring_elements 0.71049
published_at 2026-06-09T12:55:00Z
2
value 0.00642
scoring_system epss
scoring_elements 0.71023
published_at 2026-06-08T12:55:00Z
3
value 0.00642
scoring_system epss
scoring_elements 0.71038
published_at 2026-06-07T12:55:00Z
4
value 0.00642
scoring_system epss
scoring_elements 0.71055
published_at 2026-06-06T12:55:00Z
5
value 0.00642
scoring_system epss
scoring_elements 0.71048
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-26183
1
reference_url https://github.com/pnpm/pnpm
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pnpm/pnpm
2
reference_url https://github.com/pnpm/pnpm/commit/04b7f60861ddee8331e50d70e193d1e701abeefb
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pnpm/pnpm/commit/04b7f60861ddee8331e50d70e193d1e701abeefb
3
reference_url https://github.com/pnpm/pnpm/releases/tag/v6.15.1
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pnpm/pnpm/releases/tag/v6.15.1
4
reference_url https://www.sonarsource.com/blog/securing-developer-tools-package-managers
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.sonarsource.com/blog/securing-developer-tools-package-managers
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-26183
reference_id CVE-2022-26183
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-26183
6
reference_url https://github.com/advisories/GHSA-9m87-6fj3-c5xh
reference_id GHSA-9m87-6fj3-c5xh
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9m87-6fj3-c5xh
fixed_packages
0
url pkg:npm/pnpm@6.15.1
purl pkg:npm/pnpm@6.15.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5p8u-1r5s-6qbz
1
vulnerability VCID-5yt8-uzxj-vub4
2
vulnerability VCID-78bz-kqa9-uuft
3
vulnerability VCID-8bcw-h9nr-wffw
4
vulnerability VCID-9yxm-kuxe-zbgg
5
vulnerability VCID-f6mh-kk89-8fh6
6
vulnerability VCID-f9mq-9k4v-dbaj
7
vulnerability VCID-q8ww-9xsn-mbhb
8
vulnerability VCID-txar-vsfq-9qeq
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@6.15.1
aliases CVE-2022-26183, GHSA-9m87-6fj3-c5xh
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-91bz-7gcc-qfh6
5
url VCID-9yxm-kuxe-zbgg
vulnerability_id VCID-9yxm-kuxe-zbgg
summary 
pnpm Has Lockfile Integrity Bypass that Allows Remote Dynamic Dependencies
HTTP tarball dependencies (and git-hosted tarballs) are stored in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69263.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69263.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-69263
reference_id
reference_type
scores
0
value 9e-05
scoring_system epss
scoring_elements 0.00974
published_at 2026-06-07T12:55:00Z
1
value 9e-05
scoring_system epss
scoring_elements 0.01041
published_at 2026-06-05T12:55:00Z
2
value 9e-05
scoring_system epss
scoring_elements 0.00971
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-69263
2
reference_url https://github.com/pnpm/pnpm
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pnpm/pnpm
3
reference_url https://github.com/pnpm/pnpm/commit/0958027f88a99ccefe7e9676cdebba393dfbdc85
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-09T04:55:27Z/
url https://github.com/pnpm/pnpm/commit/0958027f88a99ccefe7e9676cdebba393dfbdc85
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2427703
reference_id 2427703
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2427703
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-69263
reference_id CVE-2025-69263
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-69263
6
reference_url https://github.com/advisories/GHSA-7vhp-vf5g-r2fw
reference_id GHSA-7vhp-vf5g-r2fw
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7vhp-vf5g-r2fw
7
reference_url https://github.com/pnpm/pnpm/security/advisories/GHSA-7vhp-vf5g-r2fw
reference_id GHSA-7vhp-vf5g-r2fw
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-09T04:55:27Z/
url https://github.com/pnpm/pnpm/security/advisories/GHSA-7vhp-vf5g-r2fw
fixed_packages
0
url pkg:npm/pnpm@10.26.0
purl pkg:npm/pnpm@10.26.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-54eu-x4xg-xqge
1
vulnerability VCID-5p8u-1r5s-6qbz
2
vulnerability VCID-5yt8-uzxj-vub4
3
vulnerability VCID-78bz-kqa9-uuft
4
vulnerability VCID-f6mh-kk89-8fh6
5
vulnerability VCID-txar-vsfq-9qeq
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.26.0
aliases CVE-2025-69263, GHSA-7vhp-vf5g-r2fw
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9yxm-kuxe-zbgg
6
url VCID-f6mh-kk89-8fh6
vulnerability_id VCID-f6mh-kk89-8fh6
summary 
pnpm has Path Traversal via arbitrary file permission modification
When pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `"directories": {"bin": "../../../../tmp"}` to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations.

**Note:** Only affects Unix/Linux/macOS. Windows is not affected (`fixBin` gated by `EXECUTABLE_SHEBANG_SUPPORTED`).
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24131.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24131.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-24131
reference_id
reference_type
scores
0
value 7e-05
scoring_system epss
scoring_elements 0.00642
published_at 2026-06-08T12:55:00Z
1
value 7e-05
scoring_system epss
scoring_elements 0.00649
published_at 2026-06-06T12:55:00Z
2
value 7e-05
scoring_system epss
scoring_elements 0.00646
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-24131
2
reference_url https://github.com/pnpm/pnpm
reference_id
reference_type
scores
0
value 6.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pnpm/pnpm
3
reference_url https://github.com/pnpm/pnpm/commit/17432ad5bbed5c2e77255ca6d56a1449bbcfd943
reference_id
reference_type
scores
0
value 6.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:37:39Z/
url https://github.com/pnpm/pnpm/commit/17432ad5bbed5c2e77255ca6d56a1449bbcfd943
4
reference_url https://github.com/pnpm/pnpm/releases/tag/v10.28.2
reference_id
reference_type
scores
0
value 6.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:37:39Z/
url https://github.com/pnpm/pnpm/releases/tag/v10.28.2
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2433115
reference_id 2433115
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2433115
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-24131
reference_id CVE-2026-24131
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2026-24131
7
reference_url https://github.com/advisories/GHSA-v253-rj99-jwpq
reference_id GHSA-v253-rj99-jwpq
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v253-rj99-jwpq
8
reference_url https://github.com/pnpm/pnpm/security/advisories/GHSA-v253-rj99-jwpq
reference_id GHSA-v253-rj99-jwpq
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:37:39Z/
url https://github.com/pnpm/pnpm/security/advisories/GHSA-v253-rj99-jwpq
fixed_packages
0
url pkg:npm/pnpm@10.28.2
purl pkg:npm/pnpm@10.28.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.28.2
1
url pkg:npm/pnpm@11.0.0-alpha.0
purl pkg:npm/pnpm@11.0.0-alpha.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@11.0.0-alpha.0
aliases CVE-2026-24131, GHSA-v253-rj99-jwpq
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-f6mh-kk89-8fh6
7
url VCID-f9mq-9k4v-dbaj
vulnerability_id VCID-f9mq-9k4v-dbaj
summary 
pnpm no-script global cache poisoning via overrides / `ignore-scripts` evasion
pnpm seems to mishandle overrides and global cache:
1. Overrides from one workspace leak into npm metadata saved in global cache
2. npm metadata from global cache affects other workspaces
3. installs by default don't revalidate the data (including on first lockfile generation)

This can make workspace A (even running with `ignore-scripts=true`) posion global cache and execute scripts in workspace B

Users generally expect `ignore-scripts` to be sufficient to prevent immediate code execution on install (e.g. when the tree is just repacked/bundled without executing it).

Here, that expectation is broken
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-53866
reference_id
reference_type
scores
0
value 0.01415
scoring_system epss
scoring_elements 0.80924
published_at 2026-06-07T12:55:00Z
1
value 0.01415
scoring_system epss
scoring_elements 0.80939
published_at 2026-06-09T12:55:00Z
2
value 0.01415
scoring_system epss
scoring_elements 0.80925
published_at 2026-06-05T12:55:00Z
3
value 0.01415
scoring_system epss
scoring_elements 0.80921
published_at 2026-06-08T12:55:00Z
4
value 0.01415
scoring_system epss
scoring_elements 0.80927
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-53866
1
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
2
reference_url https://github.com/pnpm/pnpm
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pnpm/pnpm
3
reference_url https://github.com/pnpm/pnpm/commit/11afcddea48f25ed5117a87dc1780a55222b9743
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-11T17:11:58Z/
url https://github.com/pnpm/pnpm/commit/11afcddea48f25ed5117a87dc1780a55222b9743
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-53866
reference_id CVE-2024-53866
reference_type
scores
0
value 5.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-53866
5
reference_url https://github.com/advisories/GHSA-vm32-9rqf-rh3r
reference_id GHSA-vm32-9rqf-rh3r
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vm32-9rqf-rh3r
6
reference_url https://github.com/pnpm/pnpm/security/advisories/GHSA-vm32-9rqf-rh3r
reference_id GHSA-vm32-9rqf-rh3r
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-11T17:11:58Z/
url https://github.com/pnpm/pnpm/security/advisories/GHSA-vm32-9rqf-rh3r
fixed_packages
0
url pkg:npm/pnpm@9.15.0
purl pkg:npm/pnpm@9.15.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-54eu-x4xg-xqge
1
vulnerability VCID-5p8u-1r5s-6qbz
2
vulnerability VCID-5yt8-uzxj-vub4
3
vulnerability VCID-78bz-kqa9-uuft
4
vulnerability VCID-8bcw-h9nr-wffw
5
vulnerability VCID-9yxm-kuxe-zbgg
6
vulnerability VCID-f6mh-kk89-8fh6
7
vulnerability VCID-txar-vsfq-9qeq
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@9.15.0
aliases CVE-2024-53866, GHSA-vm32-9rqf-rh3r
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-f9mq-9k4v-dbaj
8
url VCID-q8ww-9xsn-mbhb
vulnerability_id VCID-q8ww-9xsn-mbhb
summary 
pnpm incorrectly parses tar archives relative to specification
pnpm is a package manager. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. This can result in a package that appears safe on the npm registry or when installed via npm being replaced with a compromised or malicious version when installed via pnpm. This issue has been patched in version(s) 7.33.4 and 8.6.8.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-37478
reference_id
reference_type
scores
0
value 0.02208
scoring_system epss
scoring_elements 0.8478
published_at 2026-06-05T12:55:00Z
1
value 0.02208
scoring_system epss
scoring_elements 0.84784
published_at 2026-06-06T12:55:00Z
2
value 0.02299
scoring_system epss
scoring_elements 0.85058
published_at 2026-06-09T12:55:00Z
3
value 0.02299
scoring_system epss
scoring_elements 0.85043
published_at 2026-06-08T12:55:00Z
4
value 0.02299
scoring_system epss
scoring_elements 0.85053
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-37478
1
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
2
reference_url https://github.com/pnpm/pnpm
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pnpm/pnpm
3
reference_url https://github.com/pnpm/pnpm/releases/tag/v7.33.4
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-10T15:26:22Z/
url https://github.com/pnpm/pnpm/releases/tag/v7.33.4
4
reference_url https://github.com/pnpm/pnpm/releases/tag/v8.6.8
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-10T15:26:22Z/
url https://github.com/pnpm/pnpm/releases/tag/v8.6.8
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-37478
reference_id CVE-2023-37478
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-37478
6
reference_url https://github.com/advisories/GHSA-5r98-f33j-g8h7
reference_id GHSA-5r98-f33j-g8h7
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5r98-f33j-g8h7
7
reference_url https://github.com/pnpm/pnpm/security/advisories/GHSA-5r98-f33j-g8h7
reference_id GHSA-5r98-f33j-g8h7
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-10T15:26:22Z/
url https://github.com/pnpm/pnpm/security/advisories/GHSA-5r98-f33j-g8h7
fixed_packages
0
url pkg:npm/pnpm@7.33.4
purl pkg:npm/pnpm@7.33.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-54eu-x4xg-xqge
1
vulnerability VCID-5p8u-1r5s-6qbz
2
vulnerability VCID-5yt8-uzxj-vub4
3
vulnerability VCID-78bz-kqa9-uuft
4
vulnerability VCID-8bcw-h9nr-wffw
5
vulnerability VCID-9yxm-kuxe-zbgg
6
vulnerability VCID-f6mh-kk89-8fh6
7
vulnerability VCID-f9mq-9k4v-dbaj
8
vulnerability VCID-txar-vsfq-9qeq
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@7.33.4
1
url pkg:npm/pnpm@8.6.8
purl pkg:npm/pnpm@8.6.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-54eu-x4xg-xqge
1
vulnerability VCID-5p8u-1r5s-6qbz
2
vulnerability VCID-5yt8-uzxj-vub4
3
vulnerability VCID-78bz-kqa9-uuft
4
vulnerability VCID-8bcw-h9nr-wffw
5
vulnerability VCID-9yxm-kuxe-zbgg
6
vulnerability VCID-f6mh-kk89-8fh6
7
vulnerability VCID-f9mq-9k4v-dbaj
8
vulnerability VCID-txar-vsfq-9qeq
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@8.6.8
aliases CVE-2023-37478, GHSA-5r98-f33j-g8h7
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q8ww-9xsn-mbhb
9
url VCID-txar-vsfq-9qeq
vulnerability_id VCID-txar-vsfq-9qeq
summary 
pnpm has Windows-specific tarball Path Traversal
A path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.\`. On Windows, backslashes are directory separators, enabling path traversal.

**This vulnerability is Windows-only.**
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23889.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23889.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-23889
reference_id
reference_type
scores
0
value 0.0002
scoring_system epss
scoring_elements 0.05827
published_at 2026-06-08T12:55:00Z
1
value 0.0002
scoring_system epss
scoring_elements 0.05879
published_at 2026-06-05T12:55:00Z
2
value 0.0002
scoring_system epss
scoring_elements 0.0587
published_at 2026-06-06T12:55:00Z
3
value 0.0002
scoring_system epss
scoring_elements 0.05872
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-23889
2
reference_url https://github.com/pnpm/pnpm
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pnpm/pnpm
3
reference_url https://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:40:27Z/
url https://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0
4
reference_url https://github.com/pnpm/pnpm/releases/tag/v10.28.1
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:40:27Z/
url https://github.com/pnpm/pnpm/releases/tag/v10.28.1
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2433093
reference_id 2433093
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2433093
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23889
reference_id CVE-2026-23889
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23889
7
reference_url https://github.com/advisories/GHSA-6x96-7vc8-cm3p
reference_id GHSA-6x96-7vc8-cm3p
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6x96-7vc8-cm3p
8
reference_url https://github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p
reference_id GHSA-6x96-7vc8-cm3p
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:40:27Z/
url https://github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p
fixed_packages
0
url pkg:npm/pnpm@10.28.1
purl pkg:npm/pnpm@10.28.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-78bz-kqa9-uuft
1
vulnerability VCID-f6mh-kk89-8fh6
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.28.1
aliases CVE-2026-23889, GHSA-6x96-7vc8-cm3p
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-txar-vsfq-9qeq
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/pnpm@0.60.2