Skip to main content

Pnpm CVE-2022-26183

HIGH
Untrusted Search Path (CWE-426)
2022-03-21 cve@mitre.org
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Mar 21, 2022 - 22:15 nvd
HIGH 8.8

DescriptionNVD

PNPM v6.15.1 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute PNPM commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS.

AnalysisAI

PNPM v6.15.1 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute PNPM commands in a directory containing. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified under CWE-426. PNPM v6.15.1 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute PNPM commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS. Affected products include: Pnpm.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Pnpm

View all
CVE-2025-69264 CRITICAL POC
9.8 Jan 07

Arbitrary code execution in the pnpm package manager (versions 10.0.0 through 10.25) lets a git-hosted dependency run co

CVE-2023-37478 CRITICAL POC
9.8 Aug 01

pnpm is a package manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentica

CVE-2026-50016 HIGH POC
8.8 Jun 25

Path traversal in pnpm before 10.34.0 and 11.4.0 lets a malicious registry package smuggle '../' segments inside a trans

CVE-2026-55698 HIGH POC
8.8 Jun 25

Arbitrary code execution in the pnpm package manager (versions prior to 10.34.2 and 11.5.3) lets a malicious repository

CVE-2026-55697 HIGH POC
8.8 Jun 25

Arbitrary command execution in pnpm before 10.34.2 and 11.5.3 allows a malicious repository to run attacker-chosen nativ

CVE-2025-69263 HIGH POC
8.8 Jan 07

Supply-chain integrity bypass in pnpm package manager (versions ≤10.26.2, per description; GHSA states <10.26.0) allows

CVE-2026-50021 HIGH POC
8.1 Jun 25

Integrity-check bypass in the pnpm package manager (versions before 10.34.0/10.34.1 and 11.0.0-11.3.x) lets tampered pac

CVE-2025-69262 HIGH POC
7.8 Jan 07

{VAR} substitution inside .npmrc tokenHelper settings combined with spawnSync invoked with shell: true. The bug primaril

CVE-2026-50015 HIGH POC
7.3 Jun 25

Arbitrary file write and deletion in pnpm package manager (versions prior to 10.34.0 and 11.4.0) lets a malicious contri

CVE-2026-50014 HIGH POC
7.3 Jun 25

Arbitrary command execution in pnpm before 10.34.0 and 11.4.0 allows a malicious lockfile to run code on a developer's m

CVE-2026-55700 HIGH POC
7.1 Jun 25

Path traversal in pnpm's `pnpm stage download` command (versions 11.3.0 through 11.5.2) lets a malicious or compromised

CVE-2026-55699 MEDIUM POC
6.5 Jun 25

Path traversal in pnpm's global package management flows allows deletion of the global bin directory or its parent when

Share

CVE-2022-26183 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy