CVE-2026-0775
HIGHCVSS Vector
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of modules. The application loads modules from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-25430.
Analysis
npm cli contains an insecure module loading mechanism that enables local privilege escalation on Node.js installations. An attacker with low-privileged code execution can exploit this flaw to gain elevated privileges and execute arbitrary code with target user permissions. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all systems running npm cli and assess exposure in development environments and CI/CD infrastructure. Within 7 days: Implement compensating controls including restricting npm cli usage to trusted users, disabling npm auto-update features, and enforcing principle of least privilege on developer accounts. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today