Vulnerability in Pnpm
CVE-2026-48995
pnpm is a package manager. Prior to 10.33.4 and 11.0.7, a malicious codeload.github.com server can serve whatever tarball it wants and pnpm will install it regardless of the lockfile. The lockfile does not store the hash of the dependencie…
Affected products
- Pnpm — versions < 10.33.4, >= 11.0.0, < 11.0.7
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM)