Skip to main content

pnpm EUVDEUVD-2026-39487

| CVE-2026-55700 HIGH
Path Traversal (CWE-22)
2026-06-25 GitHub_M GHSA-v23m-ccfg-pq9h
7.1
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
vuln.today AI
7.1 HIGH

Registry-controlled input over the network (AV:N, PR:N) but the victim must run stage download (UI:R); arbitrary file overwrite gives I:H with A:L and no confidentiality impact (C:N).

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low

Lifecycle Timeline

3
Patch available
Jun 25, 2026 - 19:17 EUVD
Source Code Evidence Fetched
Jun 25, 2026 - 18:17 vuln.today
Analysis Generated
Jun 25, 2026 - 18:17 vuln.today

DescriptionCVE.org

pnpm is a package manager. From 11.3.0 until 11.5.3, pnpm stage download derived a local filename from registry-controlled package name and version fields. A crafted manifest could escape the selected download directory and overwrite another reachable file. The merged fix validates both fields, derives one safe filename, and verifies the final destination before writing. This vulnerability is fixed in 11.5.3.

AnalysisAI

Path traversal in pnpm's pnpm stage download command (versions 11.3.0 through 11.5.2) lets a malicious or compromised registry overwrite arbitrary files reachable by the user running the command. The tool built a local tarball filename directly from registry-controlled package name and version fields, so a crafted manifest (e.g. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Compromise or host malicious registry
Delivery
Serve staged tarball with crafted manifest name/version
Exploit
Victim runs `pnpm stage download`
Execution
Traversal escapes download directory
Persist
Overwrite reachable file
Impact
Integrity loss / potential code execution

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to invoke the `pnpm stage download` command (a release-staging subcommand) against a registry the attacker controls or has compromised, with pnpm version between 11.3.0 and 11.5.2. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 base score is 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L): network vector, low complexity, no attacker privileges, but user interaction required, with high integrity and low availability impact and no confidentiality loss - consistent with a file-overwrite primitive rather than direct data theft or code execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who controls or has compromised a registry serving staged tarballs publishes a manifest whose name or version field contains path-traversal sequences (e.g. version `1.0.0/../../.bashrc`). …
Remediation Vendor-released patch: upgrade to pnpm 11.5.3 or later, which validates package name and version fields and verifies the write destination stays within the download directory. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit systems and CI/CD pipelines using pnpm versions 11.3.0-11.5.2; document current pnpm version across development teams. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Pnpm

View all
CVE-2025-69264 CRITICAL POC
9.8 Jan 07

Arbitrary code execution in the pnpm package manager (versions 10.0.0 through 10.25) lets a git-hosted dependency run co

CVE-2026-50016 HIGH POC
8.8 Jun 25

Path traversal in pnpm before 10.34.0 and 11.4.0 lets a malicious registry package smuggle '../' segments inside a trans

CVE-2026-55698 HIGH POC
8.8 Jun 25

Arbitrary code execution in the pnpm package manager (versions prior to 10.34.2 and 11.5.3) lets a malicious repository

CVE-2026-55697 HIGH POC
8.8 Jun 25

Arbitrary command execution in pnpm before 10.34.2 and 11.5.3 allows a malicious repository to run attacker-chosen nativ

CVE-2025-69263 HIGH POC
8.8 Jan 07

Supply-chain integrity bypass in pnpm package manager (versions ≤10.26.2, per description; GHSA states <10.26.0) allows

CVE-2026-50021 HIGH POC
8.1 Jun 25

Integrity-check bypass in the pnpm package manager (versions before 10.34.0/10.34.1 and 11.0.0-11.3.x) lets tampered pac

CVE-2025-69262 HIGH POC
7.8 Jan 07

{VAR} substitution inside .npmrc tokenHelper settings combined with spawnSync invoked with shell: true. The bug primaril

CVE-2026-50015 HIGH POC
7.3 Jun 25

Arbitrary file write and deletion in pnpm package manager (versions prior to 10.34.0 and 11.4.0) lets a malicious contri

CVE-2026-50014 HIGH POC
7.3 Jun 25

Arbitrary command execution in pnpm before 10.34.0 and 11.4.0 allows a malicious lockfile to run code on a developer's m

CVE-2026-55699 MEDIUM POC
6.5 Jun 25

Path traversal in pnpm's global package management flows allows deletion of the global bin directory or its parent when

CVE-2026-55180 MEDIUM POC
6.5 Jun 25

{ENV_VAR} placeholders from repository-controlled .npmrc and pnpm-workspace.yaml files into registry request URLs and cr

CVE-2024-47829 MEDIUM POC
6.5 Apr 23

pnpm is a package manager. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authenticati

Share

EUVD-2026-39487 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy