What is CVE-2026-55698?

CVE-2026-55698 is a high-severity vulnerability in Pnpm, classified under Insufficient Verification of Data Authenticity. CVSS score: 8.8/10. Published 2026-06-25.

How severe is CVE-2026-55698?

High severity. CVSS v3 base score is 8.8 out of 10.

Vulnerability in Pnpm

CVE-2026-55698

pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can persist package-manager bootstrap metadata in the first YAML document of pnpm-lock.yaml. Before the patch, direct pnpm execution trusted an already resolved packageManagerDep…

CVSS v3 metric

CVSS v3 base score 8.8 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.

Affected products

Pnpm — versions < 10.34.2, >= 11.0.0, < 11.5.3

Weakness classification (CWE)

CWE-345 — Insufficient Verification of Data Authenticity
CWE-494 — Download of Code Without Integrity Check
CWE-829 — Inclusion of Functionality from Untrusted Control Sphere

References

security-advisories@github.com (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2026-55698?: CVE-2026-55698 is a high-severity vulnerability in Pnpm, classified under Insufficient Verification of Data Authenticity. CVSS score: 8.8/10. Published 2026-06-25.
How severe is CVE-2026-55698?: High severity. CVSS v3 base score is 8.8 out of 10.