Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/pnpm@9.5.0
Typenpm
Namespace
Namepnpm
Version9.5.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version10.28.2
Latest_non_vulnerable_version11.0.0-alpha.0
Affected_by_vulnerabilities
0
url VCID-5hux-erzs-vkfb
vulnerability_id VCID-5hux-erzs-vkfb
summary
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-53866
reference_id
reference_type
scores
0
value 0.01415
scoring_system epss
scoring_elements 0.80978
published_at 2026-06-11T12:55:00Z
1
value 0.01415
scoring_system epss
scoring_elements 0.81047
published_at 2026-06-13T12:55:00Z
2
value 0.01415
scoring_system epss
scoring_elements 0.81038
published_at 2026-06-14T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-53866
1
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
2
reference_url https://github.com/pnpm/pnpm
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pnpm/pnpm
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-53866
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-53866
4
reference_url https://github.com/pnpm/pnpm/commit/11afcddea48f25ed5117a87dc1780a55222b9743
reference_id 11afcddea48f25ed5117a87dc1780a55222b9743
reference_type
scores
0
value 5.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-11T17:11:58Z/
url https://github.com/pnpm/pnpm/commit/11afcddea48f25ed5117a87dc1780a55222b9743
5
reference_url https://github.com/advisories/GHSA-vm32-9rqf-rh3r
reference_id GHSA-vm32-9rqf-rh3r
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vm32-9rqf-rh3r
6
reference_url https://github.com/pnpm/pnpm/security/advisories/GHSA-vm32-9rqf-rh3r
reference_id GHSA-vm32-9rqf-rh3r
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-11T17:11:58Z/
url https://github.com/pnpm/pnpm/security/advisories/GHSA-vm32-9rqf-rh3r
fixed_packages
0
url pkg:npm/pnpm@9.15.0
purl pkg:npm/pnpm@9.15.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8a2j-f9cz-1kav
1
vulnerability VCID-che8-5n7s-sqeq
2
vulnerability VCID-fsge-arhh-ekh3
3
vulnerability VCID-jd55-xw7a-ebev
4
vulnerability VCID-nntm-h1md-dffv
5
vulnerability VCID-sf1s-d3sy-3yh4
6
vulnerability VCID-vxqv-gju3-43g9
7
vulnerability VCID-wbvf-6crf-67fx
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@9.15.0
aliases CVE-2024-53866, GHSA-vm32-9rqf-rh3r
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5hux-erzs-vkfb
1
url VCID-8a2j-f9cz-1kav
vulnerability_id VCID-8a2j-f9cz-1kav
summary pnpm is a package manager. Prior to version 10.0.0, the path shortening function uses the md5 function as a path shortening compression function, and if a collision occurs, it will result in the same storage path for two different libraries. Although the real names are under the package name /node_modoules/, there are no version numbers for the libraries they refer to. This issue has been patched in version 10.0.0.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47829.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47829.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-47829
reference_id
reference_type
scores
0
value 0.00063
scoring_system epss
scoring_elements 0.19996
published_at 2026-06-13T12:55:00Z
1
value 0.00063
scoring_system epss
scoring_elements 0.19971
published_at 2026-06-14T12:55:00Z
2
value 0.00063
scoring_system epss
scoring_elements 0.19802
published_at 2026-06-11T12:55:00Z
3
value 0.00063
scoring_system epss
scoring_elements 0.19976
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-47829
2
reference_url https://github.com/pnpm/pnpm
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pnpm/pnpm
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-47829
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-47829
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2361884
reference_id 2361884
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2361884
5
reference_url https://github.com/advisories/GHSA-8cc4-rfj6-fhg4
reference_id GHSA-8cc4-rfj6-fhg4
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8cc4-rfj6-fhg4
6
reference_url https://github.com/pnpm/pnpm/security/advisories/GHSA-8cc4-rfj6-fhg4
reference_id GHSA-8cc4-rfj6-fhg4
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T16:07:35Z/
url https://github.com/pnpm/pnpm/security/advisories/GHSA-8cc4-rfj6-fhg4
fixed_packages
0
url pkg:npm/pnpm@10.0.0
purl pkg:npm/pnpm@10.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-che8-5n7s-sqeq
1
vulnerability VCID-fsge-arhh-ekh3
2
vulnerability VCID-g6u9-b6us-fuhq
3
vulnerability VCID-jd55-xw7a-ebev
4
vulnerability VCID-nntm-h1md-dffv
5
vulnerability VCID-sf1s-d3sy-3yh4
6
vulnerability VCID-vxqv-gju3-43g9
7
vulnerability VCID-wbvf-6crf-67fx
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.0.0
aliases CVE-2024-47829, GHSA-8cc4-rfj6-fhg4
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8a2j-f9cz-1kav
2
url VCID-che8-5n7s-sqeq
vulnerability_id VCID-che8-5n7s-sqeq
summary pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package with an HTTP tarball dependency can serve different code to different users or CI/CD environments. The attack requires the victim to install a package that has an HTTP/git tarball in its dependency tree. The victim's lockfile provides no protection. This issue is fixed in version 10.26.0.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69263.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69263.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-69263
reference_id
reference_type
scores
0
value 9e-05
scoring_system epss
scoring_elements 0.00978
published_at 2026-06-14T12:55:00Z
1
value 9e-05
scoring_system epss
scoring_elements 0.00976
published_at 2026-06-13T12:55:00Z
2
value 9e-05
scoring_system epss
scoring_elements 0.00969
published_at 2026-06-12T12:55:00Z
3
value 9e-05
scoring_system epss
scoring_elements 0.0097
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-69263
2
reference_url https://github.com/pnpm/pnpm
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pnpm/pnpm
3
reference_url https://github.com/pnpm/pnpm/commit/0958027f88a99ccefe7e9676cdebba393dfbdc85
reference_id 0958027f88a99ccefe7e9676cdebba393dfbdc85
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-09T04:55:27Z/
url https://github.com/pnpm/pnpm/commit/0958027f88a99ccefe7e9676cdebba393dfbdc85
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2427703
reference_id 2427703
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2427703
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-69263
reference_id CVE-2025-69263
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-69263
6
reference_url https://github.com/advisories/GHSA-7vhp-vf5g-r2fw
reference_id GHSA-7vhp-vf5g-r2fw
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7vhp-vf5g-r2fw
7
reference_url https://github.com/pnpm/pnpm/security/advisories/GHSA-7vhp-vf5g-r2fw
reference_id GHSA-7vhp-vf5g-r2fw
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-09T04:55:27Z/
url https://github.com/pnpm/pnpm/security/advisories/GHSA-7vhp-vf5g-r2fw
fixed_packages
0
url pkg:npm/pnpm@10.26.0
purl pkg:npm/pnpm@10.26.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-fsge-arhh-ekh3
1
vulnerability VCID-jd55-xw7a-ebev
2
vulnerability VCID-nntm-h1md-dffv
3
vulnerability VCID-sf1s-d3sy-3yh4
4
vulnerability VCID-vxqv-gju3-43g9
5
vulnerability VCID-wbvf-6crf-67fx
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.26.0
aliases CVE-2025-69263, GHSA-7vhp-vf5g-r2fw
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-che8-5n7s-sqeq
3
url VCID-fsge-arhh-ekh3
vulnerability_id VCID-fsge-arhh-ekh3
summary pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.\`. On Windows, backslashes are directory separators, enabling path traversal. This vulnerability is Windows-only. This issue impacts Windows pnpm users and Windows CI/CD pipelines (GitHub Actions Windows runners, Azure DevOps). It can lead to overwriting `.npmrc`, build configs, or other files. Version 10.28.1 contains a patch.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23889.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23889.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-23889
reference_id
reference_type
scores
0
value 0.0002
scoring_system epss
scoring_elements 0.05907
published_at 2026-06-14T12:55:00Z
1
value 0.0002
scoring_system epss
scoring_elements 0.05914
published_at 2026-06-13T12:55:00Z
2
value 0.0002
scoring_system epss
scoring_elements 0.05922
published_at 2026-06-12T12:55:00Z
3
value 0.0002
scoring_system epss
scoring_elements 0.05897
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-23889
2
reference_url https://github.com/pnpm/pnpm
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pnpm/pnpm
3
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2433093
reference_id 2433093
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2433093
4
reference_url https://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0
reference_id 6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:40:27Z/
url https://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23889
reference_id CVE-2026-23889
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23889
6
reference_url https://github.com/advisories/GHSA-6x96-7vc8-cm3p
reference_id GHSA-6x96-7vc8-cm3p
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6x96-7vc8-cm3p
7
reference_url https://github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p
reference_id GHSA-6x96-7vc8-cm3p
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:40:27Z/
url https://github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p
8
reference_url https://github.com/pnpm/pnpm/releases/tag/v10.28.1
reference_id v10.28.1
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:40:27Z/
url https://github.com/pnpm/pnpm/releases/tag/v10.28.1
fixed_packages
0
url pkg:npm/pnpm@10.28.1
purl pkg:npm/pnpm@10.28.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jd55-xw7a-ebev
1
vulnerability VCID-wbvf-6crf-67fx
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.28.1
aliases CVE-2026-23889, GHSA-6x96-7vc8-cm3p
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fsge-arhh-ekh3
4
url VCID-jd55-xw7a-ebev
vulnerability_id VCID-jd55-xw7a-ebev
summary pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) causes pnpm to copy that file's contents into `node_modules`, leaking local data. The vulnerability only affects `file:` and `git:` dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affected. The issue impacts developers installing local/file dependencies andCI/CD pipelines installing git dependencies. It can lead to credential theft via symlinks to `~/.aws/credentials`, `~/.npmrc`, `~/.ssh/id_rsa`. Version 10.28.2 contains a patch.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24056.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24056.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-24056
reference_id
reference_type
scores
0
value 0.00014
scoring_system epss
scoring_elements 0.02688
published_at 2026-06-13T12:55:00Z
1
value 0.00014
scoring_system epss
scoring_elements 0.02699
published_at 2026-06-14T12:55:00Z
2
value 0.00014
scoring_system epss
scoring_elements 0.02694
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-24056
2
reference_url https://github.com/pnpm/pnpm
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
1
value 6.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pnpm/pnpm
3
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2433605
reference_id 2433605
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2433605
4
reference_url https://github.com/pnpm/pnpm/commit/b277b45bc35ae77ca72d7634d144bbd58a48b70f
reference_id b277b45bc35ae77ca72d7634d144bbd58a48b70f
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
1
value 6.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:16Z/
url https://github.com/pnpm/pnpm/commit/b277b45bc35ae77ca72d7634d144bbd58a48b70f
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-24056
reference_id CVE-2026-24056
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
1
value 6.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-24056
6
reference_url https://github.com/advisories/GHSA-m733-5w8f-5ggw
reference_id GHSA-m733-5w8f-5ggw
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-m733-5w8f-5ggw
7
reference_url https://github.com/pnpm/pnpm/security/advisories/GHSA-m733-5w8f-5ggw
reference_id GHSA-m733-5w8f-5ggw
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value 6.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:16Z/
url https://github.com/pnpm/pnpm/security/advisories/GHSA-m733-5w8f-5ggw
8
reference_url https://github.com/pnpm/pnpm/releases/tag/v10.28.2
reference_id v10.28.2
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
1
value 6.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:16Z/
url https://github.com/pnpm/pnpm/releases/tag/v10.28.2
fixed_packages
0
url pkg:npm/pnpm@10.28.2
purl pkg:npm/pnpm@10.28.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.28.2
1
url pkg:npm/pnpm@11.0.0-alpha.0
purl pkg:npm/pnpm@11.0.0-alpha.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@11.0.0-alpha.0
aliases CVE-2026-24056, GHSA-m733-5w8f-5ggw
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jd55-xw7a-ebev
5
url VCID-nntm-h1md-dffv
vulnerability_id VCID-nntm-h1md-dffv
summary pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact. This issue affects all pnpm users who install npm packages and CI/CD pipelines using pnpm. It can lead to overwriting config files, scripts, or other sensitive files. Version 10.28.1 contains a patch.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23890.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23890.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-23890
reference_id
reference_type
scores
0
value 0.0002
scoring_system epss
scoring_elements 0.05907
published_at 2026-06-14T12:55:00Z
1
value 0.0002
scoring_system epss
scoring_elements 0.05914
published_at 2026-06-13T12:55:00Z
2
value 0.0002
scoring_system epss
scoring_elements 0.05922
published_at 2026-06-12T12:55:00Z
3
value 0.0002
scoring_system epss
scoring_elements 0.05897
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-23890
2
reference_url https://github.com/pnpm/pnpm
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pnpm/pnpm
3
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2433090
reference_id 2433090
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2433090
4
reference_url https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d
reference_id 8afbb1598445d37985d91fda18abb4795ae5062d
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:49Z/
url https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23890
reference_id CVE-2026-23890
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23890
6
reference_url https://github.com/advisories/GHSA-xpqm-wm3m-f34h
reference_id GHSA-xpqm-wm3m-f34h
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xpqm-wm3m-f34h
7
reference_url https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h
reference_id GHSA-xpqm-wm3m-f34h
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:49Z/
url https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h
8
reference_url https://github.com/pnpm/pnpm/releases/tag/v10.28.1
reference_id v10.28.1
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:49Z/
url https://github.com/pnpm/pnpm/releases/tag/v10.28.1
fixed_packages
0
url pkg:npm/pnpm@10.28.1
purl pkg:npm/pnpm@10.28.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jd55-xw7a-ebev
1
vulnerability VCID-wbvf-6crf-67fx
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.28.1
aliases CVE-2026-23890, GHSA-xpqm-wm3m-f34h
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nntm-h1md-dffv
6
url VCID-sf1s-d3sy-3yh4
vulnerability_id VCID-sf1s-d3sy-3yh4
summary pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) Malicious ZIP entries containing `../` or absolute paths that escape the extraction root via AdmZip's `extractAllTo`, and (2) The `BinaryResolution.prefix` field is concatenated into the extraction path without validation, allowing a crafted prefix like `../../evil` to redirect extracted files outside `targetDir`. The issue impacts all pnpm users who install packages with binary assets, users who configure custom Node.js binary locations and CI/CD pipelines that auto-install binary dependencies. It can lead to overwriting config files, scripts, or other sensitive files leading to RCE. Version 10.28.1 contains a patch.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23888.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23888.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-23888
reference_id
reference_type
scores
0
value 0.0002
scoring_system epss
scoring_elements 0.05907
published_at 2026-06-14T12:55:00Z
1
value 0.0002
scoring_system epss
scoring_elements 0.05914
published_at 2026-06-13T12:55:00Z
2
value 0.0002
scoring_system epss
scoring_elements 0.05922
published_at 2026-06-12T12:55:00Z
3
value 0.0002
scoring_system epss
scoring_elements 0.05897
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-23888
2
reference_url https://github.com/pnpm/pnpm
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pnpm/pnpm
3
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2433095
reference_id 2433095
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2433095
4
reference_url https://github.com/pnpm/pnpm/commit/5c382f0ca3b7cc49963b94677426e66539dcb3f5
reference_id 5c382f0ca3b7cc49963b94677426e66539dcb3f5
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:40:56Z/
url https://github.com/pnpm/pnpm/commit/5c382f0ca3b7cc49963b94677426e66539dcb3f5
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23888
reference_id CVE-2026-23888
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23888
6
reference_url https://github.com/advisories/GHSA-6pfh-p556-v868
reference_id GHSA-6pfh-p556-v868
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6pfh-p556-v868
7
reference_url https://github.com/pnpm/pnpm/security/advisories/GHSA-6pfh-p556-v868
reference_id GHSA-6pfh-p556-v868
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:40:56Z/
url https://github.com/pnpm/pnpm/security/advisories/GHSA-6pfh-p556-v868
8
reference_url https://github.com/pnpm/pnpm/releases/tag/v10.28.1
reference_id v10.28.1
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:40:56Z/
url https://github.com/pnpm/pnpm/releases/tag/v10.28.1
fixed_packages
0
url pkg:npm/pnpm@10.28.1
purl pkg:npm/pnpm@10.28.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jd55-xw7a-ebev
1
vulnerability VCID-wbvf-6crf-67fx
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.28.1
aliases CVE-2026-23888, GHSA-6pfh-p556-v868
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sf1s-d3sy-3yh4
7
url VCID-vxqv-gju3-43g9
vulnerability_id VCID-vxqv-gju3-43g9
summary pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve Remote Code Execution (RCE) in build environments. This issue is fixed in version 10.27.0.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69262.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69262.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-69262
reference_id
reference_type
scores
0
value 0.00041
scoring_system epss
scoring_elements 0.12818
published_at 2026-06-11T12:55:00Z
1
value 0.00041
scoring_system epss
scoring_elements 0.12906
published_at 2026-06-14T12:55:00Z
2
value 0.00041
scoring_system epss
scoring_elements 0.12914
published_at 2026-06-12T12:55:00Z
3
value 0.00041
scoring_system epss
scoring_elements 0.12925
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-69262
2
reference_url https://github.com/pnpm/pnpm
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pnpm/pnpm
3
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2427662
reference_id 2427662
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2427662
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-69262
reference_id CVE-2025-69262
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-69262
5
reference_url https://github.com/advisories/GHSA-2phv-j68v-wwqx
reference_id GHSA-2phv-j68v-wwqx
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2phv-j68v-wwqx
6
reference_url https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx
reference_id GHSA-2phv-j68v-wwqx
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
1
value 7.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-09T04:55:30Z/
url https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx
7
reference_url https://github.com/pnpm/pnpm/releases/tag/v10.27.0
reference_id v10.27.0
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
1
value 7.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-09T04:55:30Z/
url https://github.com/pnpm/pnpm/releases/tag/v10.27.0
fixed_packages
0
url pkg:npm/pnpm@10.27.0
purl pkg:npm/pnpm@10.27.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-fsge-arhh-ekh3
1
vulnerability VCID-jd55-xw7a-ebev
2
vulnerability VCID-nntm-h1md-dffv
3
vulnerability VCID-sf1s-d3sy-3yh4
4
vulnerability VCID-wbvf-6crf-67fx
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.27.0
aliases CVE-2025-69262, GHSA-2phv-j68v-wwqx
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vxqv-gju3-43g9
8
url VCID-wbvf-6crf-67fx
vulnerability_id VCID-wbvf-6crf-67fx
summary pnpm is a package manager. Prior to version 10.28.2, when pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `"directories": {"bin": "../../../../tmp"}` to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations. This issue only affects Unix/Linux/macOS. Windows is not affected (`fixBin` gated by `EXECUTABLE_SHEBANG_SUPPORTED`). Version 10.28.2 contains a patch.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24131.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24131.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-24131
reference_id
reference_type
scores
0
value 7e-05
scoring_system epss
scoring_elements 0.00647
published_at 2026-06-14T12:55:00Z
1
value 7e-05
scoring_system epss
scoring_elements 0.00644
published_at 2026-06-11T12:55:00Z
2
value 7e-05
scoring_system epss
scoring_elements 0.00643
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-24131
2
reference_url https://github.com/pnpm/pnpm
reference_id
reference_type
scores
0
value 6.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pnpm/pnpm
3
reference_url https://github.com/pnpm/pnpm/commit/17432ad5bbed5c2e77255ca6d56a1449bbcfd943
reference_id 17432ad5bbed5c2e77255ca6d56a1449bbcfd943
reference_type
scores
0
value 6.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:37:39Z/
url https://github.com/pnpm/pnpm/commit/17432ad5bbed5c2e77255ca6d56a1449bbcfd943
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2433115
reference_id 2433115
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2433115
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-24131
reference_id CVE-2026-24131
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2026-24131
6
reference_url https://github.com/advisories/GHSA-v253-rj99-jwpq
reference_id GHSA-v253-rj99-jwpq
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v253-rj99-jwpq
7
reference_url https://github.com/pnpm/pnpm/security/advisories/GHSA-v253-rj99-jwpq
reference_id GHSA-v253-rj99-jwpq
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:37:39Z/
url https://github.com/pnpm/pnpm/security/advisories/GHSA-v253-rj99-jwpq
8
reference_url https://github.com/pnpm/pnpm/releases/tag/v10.28.2
reference_id v10.28.2
reference_type
scores
0
value 6.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:37:39Z/
url https://github.com/pnpm/pnpm/releases/tag/v10.28.2
fixed_packages
0
url pkg:npm/pnpm@10.28.2
purl pkg:npm/pnpm@10.28.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.28.2
1
url pkg:npm/pnpm@11.0.0-alpha.0
purl pkg:npm/pnpm@11.0.0-alpha.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@11.0.0-alpha.0
aliases CVE-2026-24131, GHSA-v253-rj99-jwpq
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wbvf-6crf-67fx
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/pnpm@9.5.0