VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-nntm-h1md-dffv

Essentials
Severities (17)
References (9)
Severity details (16)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-nntm-h1md-dffv
Aliases	CVE-2026-23890 GHSA-xpqm-wm3m-f34h
Summary	pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact. This issue affects all pnpm users who install npm packages and CI/CD pipelines using pnpm. It can lead to overwriting config files, scripts, or other sensitive files. Version 10.28.1 contains a patch.
Status	Published
Exploitability	None
Weighted Severity	None
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-23	Relative Path Traversal
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	6.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23890.json
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2026-23890
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-xpqm-wm3m-f34h
cvssv3.1	6.5	https://github.com/pnpm/pnpm
generic_textual	MODERATE	https://github.com/pnpm/pnpm
cvssv3.1	6.5	https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d
generic_textual	MODERATE	https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d
ssvc	Track	https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d
cvssv3.1	6.5	https://github.com/pnpm/pnpm/releases/tag/v10.28.1
generic_textual	MODERATE	https://github.com/pnpm/pnpm/releases/tag/v10.28.1
ssvc	Track	https://github.com/pnpm/pnpm/releases/tag/v10.28.1
cvssv3.1	6.5	https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h
cvssv3.1_qr	MODERATE	https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h
generic_textual	MODERATE	https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h
ssvc	Track	https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h
cvssv3.1	6.5	https://nvd.nist.gov/vuln/detail/CVE-2026-23890
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2026-23890

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23890.json
		https://api.first.org/data/v1/epss?cve=CVE-2026-23890
		https://github.com/pnpm/pnpm
2433090		https://bugzilla.redhat.com/show_bug.cgi?id=2433090
8afbb1598445d37985d91fda18abb4795ae5062d		https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d
CVE-2026-23890		https://nvd.nist.gov/vuln/detail/CVE-2026-23890
GHSA-xpqm-wm3m-f34h		https://github.com/advisories/GHSA-xpqm-wm3m-f34h
GHSA-xpqm-wm3m-f34h		https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h
v10.28.1		https://github.com/pnpm/pnpm/releases/tag/v10.28.1

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23890.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://github.com/pnpm/pnpm

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:49Z/ Found at https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://github.com/pnpm/pnpm/releases/tag/v10.28.1

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:49Z/ Found at https://github.com/pnpm/pnpm/releases/tag/v10.28.1

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:49Z/ Found at https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-23890

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.05897
EPSS Score	0.0002
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T16:42:02.051294+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2026/23xxx/CVE-2026-23890.json	38.6.0