What is CVE-2026-55487?

CVE-2026-55487 is a high-severity vulnerability in Pnpm, classified under Origin Validation Error. CVSS score: 7.5/10. Published 2026-06-25.

How severe is CVE-2026-55487?

High severity. CVSS v3 base score is 7.5 out of 10.

Vulnerability in Pnpm

CVE-2026-55487

pnpm is a package manager. Prior to 10.34.2 and 11.5.3, the generic peer-suffix normalizer also stripped parenthesized text from git, URL, tarball, file, and other opaque locators. Approval for one source string could therefore authorize a…

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H.

Affected products

Pnpm — versions < 10.34.2, >= 11.0.0, < 11.5.3

Weakness classification (CWE)

CWE-346 — Origin Validation Error
CWE-693 — Protection Mechanism Failure
CWE-829 — Inclusion of Functionality from Untrusted Control Sphere

References

security-advisories@github.com (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2026-55487?: CVE-2026-55487 is a high-severity vulnerability in Pnpm, classified under Origin Validation Error. CVSS score: 7.5/10. Published 2026-06-25.
How severe is CVE-2026-55487?: High severity. CVSS v3 base score is 7.5 out of 10.