Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/pnpm@10.7.0
Typenpm
Namespace
Namepnpm
Version10.7.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version10.28.2
Latest_non_vulnerable_version11.0.0-alpha.0
Affected_by_vulnerabilities
0
url VCID-19yz-vtve-a7eu
vulnerability_id VCID-19yz-vtve-a7eu
summary 
pnpm v10+ Bypass "Dependency lifecycle scripts execution disabled by default"
A security bypass vulnerability in pnpm v10+ allows git-hosted dependencies to execute arbitrary code during `pnpm install`, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks `postinstall` scripts via the `onlyBuiltDependencies` mechanism, git dependencies can still execute `prepare`, `prepublish`, and `prepack` scripts during the fetch phase, enabling remote code execution without user consent or approval.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69264.json
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69264.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-69264
reference_id
reference_type
scores
0
value 0.00097
scoring_system epss
scoring_elements 0.26649
published_at 2026-06-09T12:55:00Z
1
value 0.00097
scoring_system epss
scoring_elements 0.26732
published_at 2026-06-06T12:55:00Z
2
value 0.00097
scoring_system epss
scoring_elements 0.26693
published_at 2026-06-07T12:55:00Z
3
value 0.00097
scoring_system epss
scoring_elements 0.26639
published_at 2026-06-08T12:55:00Z
4
value 0.00101
scoring_system epss
scoring_elements 0.27432
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-69264
2
reference_url https://github.com/pnpm/pnpm
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pnpm/pnpm
3
reference_url https://github.com/pnpm/pnpm/commit/73cc63504d9bc360c43e4b2feb9080677f03c5b5
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-09T04:55:29Z/
url https://github.com/pnpm/pnpm/commit/73cc63504d9bc360c43e4b2feb9080677f03c5b5
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2427709
reference_id 2427709
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2427709
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-69264
reference_id CVE-2025-69264
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-69264
6
reference_url https://github.com/advisories/GHSA-379q-355j-w6rj
reference_id GHSA-379q-355j-w6rj
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-379q-355j-w6rj
7
reference_url https://github.com/pnpm/pnpm/security/advisories/GHSA-379q-355j-w6rj
reference_id GHSA-379q-355j-w6rj
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-09T04:55:29Z/
url https://github.com/pnpm/pnpm/security/advisories/GHSA-379q-355j-w6rj
fixed_packages
0
url pkg:npm/pnpm@10.26.0
purl pkg:npm/pnpm@10.26.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-54eu-x4xg-xqge
1
vulnerability VCID-5p8u-1r5s-6qbz
2
vulnerability VCID-5yt8-uzxj-vub4
3
vulnerability VCID-78bz-kqa9-uuft
4
vulnerability VCID-f6mh-kk89-8fh6
5
vulnerability VCID-txar-vsfq-9qeq
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.26.0
aliases CVE-2025-69264, GHSA-379q-355j-w6rj
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-19yz-vtve-a7eu
1
url VCID-54eu-x4xg-xqge
vulnerability_id VCID-54eu-x4xg-xqge
summary 
pnpm vulnerable to Command Injection via environment variable substitution
A command injection vulnerability exists in pnpm when using environment variable substitution in `.npmrc` configuration files with `tokenHelper` settings. An attacker who can control environment variables during pnpm operations could achieve remote code execution (RCE) in build environments.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69262.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69262.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-69262
reference_id
reference_type
scores
0
value 0.00041
scoring_system epss
scoring_elements 0.12732
published_at 2026-06-09T12:55:00Z
1
value 0.00041
scoring_system epss
scoring_elements 0.12825
published_at 2026-06-06T12:55:00Z
2
value 0.00041
scoring_system epss
scoring_elements 0.12786
published_at 2026-06-07T12:55:00Z
3
value 0.00041
scoring_system epss
scoring_elements 0.12702
published_at 2026-06-08T12:55:00Z
4
value 0.00044
scoring_system epss
scoring_elements 0.1393
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-69262
2
reference_url https://github.com/pnpm/pnpm
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pnpm/pnpm
3
reference_url https://github.com/pnpm/pnpm/releases/tag/v10.27.0
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
1
value 7.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-09T04:55:30Z/
url https://github.com/pnpm/pnpm/releases/tag/v10.27.0
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2427662
reference_id 2427662
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2427662
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-69262
reference_id CVE-2025-69262
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-69262
6
reference_url https://github.com/advisories/GHSA-2phv-j68v-wwqx
reference_id GHSA-2phv-j68v-wwqx
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2phv-j68v-wwqx
7
reference_url https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx
reference_id GHSA-2phv-j68v-wwqx
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
1
value 7.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-09T04:55:30Z/
url https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx
fixed_packages
0
url pkg:npm/pnpm@10.27.0
purl pkg:npm/pnpm@10.27.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5p8u-1r5s-6qbz
1
vulnerability VCID-5yt8-uzxj-vub4
2
vulnerability VCID-78bz-kqa9-uuft
3
vulnerability VCID-f6mh-kk89-8fh6
4
vulnerability VCID-txar-vsfq-9qeq
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.27.0
aliases CVE-2025-69262, GHSA-2phv-j68v-wwqx
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-54eu-x4xg-xqge
2
url VCID-5p8u-1r5s-6qbz
vulnerability_id VCID-5p8u-1r5s-6qbz
summary 
pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)
A path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) Malicious ZIP entries containing `../` or absolute paths that escape the extraction root via AdmZip's `extractAllTo`, and (2) The `BinaryResolution.prefix` field is concatenated into the extraction path without validation, allowing a crafted prefix like `../../evil` to redirect extracted files outside `targetDir`.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23888.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23888.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-23888
reference_id
reference_type
scores
0
value 0.0002
scoring_system epss
scoring_elements 0.05851
published_at 2026-06-09T12:55:00Z
1
value 0.0002
scoring_system epss
scoring_elements 0.05879
published_at 2026-06-05T12:55:00Z
2
value 0.0002
scoring_system epss
scoring_elements 0.0587
published_at 2026-06-06T12:55:00Z
3
value 0.0002
scoring_system epss
scoring_elements 0.05872
published_at 2026-06-07T12:55:00Z
4
value 0.0002
scoring_system epss
scoring_elements 0.05827
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-23888
2
reference_url https://github.com/pnpm/pnpm
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pnpm/pnpm
3
reference_url https://github.com/pnpm/pnpm/commit/5c382f0ca3b7cc49963b94677426e66539dcb3f5
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:40:56Z/
url https://github.com/pnpm/pnpm/commit/5c382f0ca3b7cc49963b94677426e66539dcb3f5
4
reference_url https://github.com/pnpm/pnpm/releases/tag/v10.28.1
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:40:56Z/
url https://github.com/pnpm/pnpm/releases/tag/v10.28.1
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2433095
reference_id 2433095
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2433095
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23888
reference_id CVE-2026-23888
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23888
7
reference_url https://github.com/advisories/GHSA-6pfh-p556-v868
reference_id GHSA-6pfh-p556-v868
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6pfh-p556-v868
8
reference_url https://github.com/pnpm/pnpm/security/advisories/GHSA-6pfh-p556-v868
reference_id GHSA-6pfh-p556-v868
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:40:56Z/
url https://github.com/pnpm/pnpm/security/advisories/GHSA-6pfh-p556-v868
fixed_packages
0
url pkg:npm/pnpm@10.28.1
purl pkg:npm/pnpm@10.28.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-78bz-kqa9-uuft
1
vulnerability VCID-f6mh-kk89-8fh6
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.28.1
aliases CVE-2026-23888, GHSA-6pfh-p556-v868
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5p8u-1r5s-6qbz
3
url VCID-5yt8-uzxj-vub4
vulnerability_id VCID-5yt8-uzxj-vub4
summary 
pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin
A path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23890.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23890.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-23890
reference_id
reference_type
scores
0
value 0.0002
scoring_system epss
scoring_elements 0.05851
published_at 2026-06-09T12:55:00Z
1
value 0.0002
scoring_system epss
scoring_elements 0.05879
published_at 2026-06-05T12:55:00Z
2
value 0.0002
scoring_system epss
scoring_elements 0.0587
published_at 2026-06-06T12:55:00Z
3
value 0.0002
scoring_system epss
scoring_elements 0.05872
published_at 2026-06-07T12:55:00Z
4
value 0.0002
scoring_system epss
scoring_elements 0.05827
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-23890
2
reference_url https://github.com/pnpm/pnpm
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pnpm/pnpm
3
reference_url https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:49Z/
url https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d
4
reference_url https://github.com/pnpm/pnpm/releases/tag/v10.28.1
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:49Z/
url https://github.com/pnpm/pnpm/releases/tag/v10.28.1
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2433090
reference_id 2433090
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2433090
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23890
reference_id CVE-2026-23890
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23890
7
reference_url https://github.com/advisories/GHSA-xpqm-wm3m-f34h
reference_id GHSA-xpqm-wm3m-f34h
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xpqm-wm3m-f34h
8
reference_url https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h
reference_id GHSA-xpqm-wm3m-f34h
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:49Z/
url https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h
fixed_packages
0
url pkg:npm/pnpm@10.28.1
purl pkg:npm/pnpm@10.28.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-78bz-kqa9-uuft
1
vulnerability VCID-f6mh-kk89-8fh6
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.28.1
aliases CVE-2026-23890, GHSA-xpqm-wm3m-f34h
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5yt8-uzxj-vub4
4
url VCID-78bz-kqa9-uuft
vulnerability_id VCID-78bz-kqa9-uuft
summary 
pnpm has symlink traversal in file:/git dependencies
When pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) causes pnpm to copy that file's contents into `node_modules`, leaking local data.

**Preconditions:** Only affects `file:` and `git:` dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affected.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24056.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24056.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-24056
reference_id
reference_type
scores
0
value 0.00014
scoring_system epss
scoring_elements 0.0267
published_at 2026-06-09T12:55:00Z
1
value 0.00014
scoring_system epss
scoring_elements 0.02765
published_at 2026-06-05T12:55:00Z
2
value 0.00014
scoring_system epss
scoring_elements 0.02772
published_at 2026-06-06T12:55:00Z
3
value 0.00014
scoring_system epss
scoring_elements 0.02718
published_at 2026-06-07T12:55:00Z
4
value 0.00014
scoring_system epss
scoring_elements 0.02701
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-24056
2
reference_url https://github.com/pnpm/pnpm
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
1
value 6.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pnpm/pnpm
3
reference_url https://github.com/pnpm/pnpm/commit/b277b45bc35ae77ca72d7634d144bbd58a48b70f
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
1
value 6.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:16Z/
url https://github.com/pnpm/pnpm/commit/b277b45bc35ae77ca72d7634d144bbd58a48b70f
4
reference_url https://github.com/pnpm/pnpm/releases/tag/v10.28.2
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
1
value 6.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:16Z/
url https://github.com/pnpm/pnpm/releases/tag/v10.28.2
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2433605
reference_id 2433605
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2433605
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-24056
reference_id CVE-2026-24056
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
1
value 6.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-24056
7
reference_url https://github.com/advisories/GHSA-m733-5w8f-5ggw
reference_id GHSA-m733-5w8f-5ggw
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-m733-5w8f-5ggw
8
reference_url https://github.com/pnpm/pnpm/security/advisories/GHSA-m733-5w8f-5ggw
reference_id GHSA-m733-5w8f-5ggw
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value 6.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:16Z/
url https://github.com/pnpm/pnpm/security/advisories/GHSA-m733-5w8f-5ggw
fixed_packages
0
url pkg:npm/pnpm@10.28.2
purl pkg:npm/pnpm@10.28.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.28.2
1
url pkg:npm/pnpm@11.0.0-alpha.0
purl pkg:npm/pnpm@11.0.0-alpha.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@11.0.0-alpha.0
aliases CVE-2026-24056, GHSA-m733-5w8f-5ggw
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-78bz-kqa9-uuft
5
url VCID-9yxm-kuxe-zbgg
vulnerability_id VCID-9yxm-kuxe-zbgg
summary 
pnpm Has Lockfile Integrity Bypass that Allows Remote Dynamic Dependencies
HTTP tarball dependencies (and git-hosted tarballs) are stored in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69263.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69263.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-69263
reference_id
reference_type
scores
0
value 9e-05
scoring_system epss
scoring_elements 0.00972
published_at 2026-06-09T12:55:00Z
1
value 9e-05
scoring_system epss
scoring_elements 0.01041
published_at 2026-06-05T12:55:00Z
2
value 9e-05
scoring_system epss
scoring_elements 0.00971
published_at 2026-06-08T12:55:00Z
3
value 9e-05
scoring_system epss
scoring_elements 0.00974
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-69263
2
reference_url https://github.com/pnpm/pnpm
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pnpm/pnpm
3
reference_url https://github.com/pnpm/pnpm/commit/0958027f88a99ccefe7e9676cdebba393dfbdc85
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-09T04:55:27Z/
url https://github.com/pnpm/pnpm/commit/0958027f88a99ccefe7e9676cdebba393dfbdc85
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2427703
reference_id 2427703
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2427703
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-69263
reference_id CVE-2025-69263
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-69263
6
reference_url https://github.com/advisories/GHSA-7vhp-vf5g-r2fw
reference_id GHSA-7vhp-vf5g-r2fw
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7vhp-vf5g-r2fw
7
reference_url https://github.com/pnpm/pnpm/security/advisories/GHSA-7vhp-vf5g-r2fw
reference_id GHSA-7vhp-vf5g-r2fw
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-09T04:55:27Z/
url https://github.com/pnpm/pnpm/security/advisories/GHSA-7vhp-vf5g-r2fw
fixed_packages
0
url pkg:npm/pnpm@10.26.0
purl pkg:npm/pnpm@10.26.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-54eu-x4xg-xqge
1
vulnerability VCID-5p8u-1r5s-6qbz
2
vulnerability VCID-5yt8-uzxj-vub4
3
vulnerability VCID-78bz-kqa9-uuft
4
vulnerability VCID-f6mh-kk89-8fh6
5
vulnerability VCID-txar-vsfq-9qeq
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.26.0
aliases CVE-2025-69263, GHSA-7vhp-vf5g-r2fw
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9yxm-kuxe-zbgg
6
url VCID-f6mh-kk89-8fh6
vulnerability_id VCID-f6mh-kk89-8fh6
summary 
pnpm has Path Traversal via arbitrary file permission modification
When pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `"directories": {"bin": "../../../../tmp"}` to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations.

**Note:** Only affects Unix/Linux/macOS. Windows is not affected (`fixBin` gated by `EXECUTABLE_SHEBANG_SUPPORTED`).
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24131.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24131.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-24131
reference_id
reference_type
scores
0
value 7e-05
scoring_system epss
scoring_elements 0.00644
published_at 2026-06-09T12:55:00Z
1
value 7e-05
scoring_system epss
scoring_elements 0.00649
published_at 2026-06-06T12:55:00Z
2
value 7e-05
scoring_system epss
scoring_elements 0.00646
published_at 2026-06-07T12:55:00Z
3
value 7e-05
scoring_system epss
scoring_elements 0.00642
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-24131
2
reference_url https://github.com/pnpm/pnpm
reference_id
reference_type
scores
0
value 6.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pnpm/pnpm
3
reference_url https://github.com/pnpm/pnpm/commit/17432ad5bbed5c2e77255ca6d56a1449bbcfd943
reference_id
reference_type
scores
0
value 6.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:37:39Z/
url https://github.com/pnpm/pnpm/commit/17432ad5bbed5c2e77255ca6d56a1449bbcfd943
4
reference_url https://github.com/pnpm/pnpm/releases/tag/v10.28.2
reference_id
reference_type
scores
0
value 6.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:37:39Z/
url https://github.com/pnpm/pnpm/releases/tag/v10.28.2
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2433115
reference_id 2433115
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2433115
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-24131
reference_id CVE-2026-24131
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2026-24131
7
reference_url https://github.com/advisories/GHSA-v253-rj99-jwpq
reference_id GHSA-v253-rj99-jwpq
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v253-rj99-jwpq
8
reference_url https://github.com/pnpm/pnpm/security/advisories/GHSA-v253-rj99-jwpq
reference_id GHSA-v253-rj99-jwpq
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:37:39Z/
url https://github.com/pnpm/pnpm/security/advisories/GHSA-v253-rj99-jwpq
fixed_packages
0
url pkg:npm/pnpm@10.28.2
purl pkg:npm/pnpm@10.28.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.28.2
1
url pkg:npm/pnpm@11.0.0-alpha.0
purl pkg:npm/pnpm@11.0.0-alpha.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@11.0.0-alpha.0
aliases CVE-2026-24131, GHSA-v253-rj99-jwpq
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-f6mh-kk89-8fh6
7
url VCID-txar-vsfq-9qeq
vulnerability_id VCID-txar-vsfq-9qeq
summary 
pnpm has Windows-specific tarball Path Traversal
A path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.\`. On Windows, backslashes are directory separators, enabling path traversal.

**This vulnerability is Windows-only.**
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23889.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23889.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-23889
reference_id
reference_type
scores
0
value 0.0002
scoring_system epss
scoring_elements 0.05851
published_at 2026-06-09T12:55:00Z
1
value 0.0002
scoring_system epss
scoring_elements 0.05879
published_at 2026-06-05T12:55:00Z
2
value 0.0002
scoring_system epss
scoring_elements 0.0587
published_at 2026-06-06T12:55:00Z
3
value 0.0002
scoring_system epss
scoring_elements 0.05872
published_at 2026-06-07T12:55:00Z
4
value 0.0002
scoring_system epss
scoring_elements 0.05827
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-23889
2
reference_url https://github.com/pnpm/pnpm
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pnpm/pnpm
3
reference_url https://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:40:27Z/
url https://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0
4
reference_url https://github.com/pnpm/pnpm/releases/tag/v10.28.1
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:40:27Z/
url https://github.com/pnpm/pnpm/releases/tag/v10.28.1
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2433093
reference_id 2433093
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2433093
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23889
reference_id CVE-2026-23889
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23889
7
reference_url https://github.com/advisories/GHSA-6x96-7vc8-cm3p
reference_id GHSA-6x96-7vc8-cm3p
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6x96-7vc8-cm3p
8
reference_url https://github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p
reference_id GHSA-6x96-7vc8-cm3p
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:40:27Z/
url https://github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p
fixed_packages
0
url pkg:npm/pnpm@10.28.1
purl pkg:npm/pnpm@10.28.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-78bz-kqa9-uuft
1
vulnerability VCID-f6mh-kk89-8fh6
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.28.1
aliases CVE-2026-23889, GHSA-6x96-7vc8-cm3p
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-txar-vsfq-9qeq
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.7.0