Pnpm Pnpm
25 CVEs affecting Pnpm Pnpm. Latest disclosed: 2026-06-25. Critical: 1, High: 11.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2024-53866 | Critical | 9.8 | 2024-12-10 | The package manager pnpm prior to version 9.15.0 seems to mishandle overrides and global cache: Overrides from one workspace leak into npm metadata saved in gl… |
CVE-2026-55698 | High | 8.8 | 2026-06-25 | pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can persist package-manager bootstrap metadata in the first YAML document of pnpm-lock.yaml. Befor… |
CVE-2026-50016 | High | 8.8 | 2026-06-25 | pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segm… |
CVE-2025-69264 | High | 8.8 | 2026-01-07 | pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 sec… |
CVE-2022-26183 | High | 8.8 | 2022-03-21 | PNPM v6.15.1 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute PNPM com… |
CVE-2026-55697 | High | 7.5 | 2026-06-25 | pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can install configDependencies declared in pnpm-workspace.yaml before command dispatch. Before the… |
CVE-2026-55487 | High | 7.5 | 2026-06-25 | pnpm is a package manager. Prior to 10.34.2 and 11.5.3, the generic peer-suffix normalizer also stripped parenthesized text from git, URL, tarball, file, and o… |
CVE-2025-69262 | High | 7.5 | 2026-01-07 | pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc config… |
CVE-2025-69263 | High | 7.5 | 2026-01-07 | pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. This… |
CVE-2023-37478 | High | 7.5 | 2023-08-01 | pnpm is a package manager. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is… |
CVE-2026-50015 | High | 7.3 | 2026-06-25 | pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's patch application pipeline (@pnpm/patch-package) performs no path validation on file paths extra… |
CVE-2026-55700 | High | 7.1 | 2026-06-25 | pnpm is a package manager. From 11.3.0 until 11.5.3, `pnpm stage download` derived a local filename from registry-controlled package name and version fields. A… |
CVE-2026-50573 | Medium | 6.8 | 2026-06-25 | pnpm is a package manager. Prior to 10.34.0 and 11.4.0, `pnpm install` in non-frozen mode can accept new remote package content after detecting that the downlo… |
CVE-2026-50021 | Medium | 6.8 | 2026-06-25 | pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's tarball extraction worker skips integrity verification when the integrity field is absent from t… |
CVE-2026-55699 | Medium | 6.5 | 2026-06-25 | pnpm is a package manager. Prior to 10.34.2 and 11.5.3, Manifest bin object keys such as "", ".", and ".." passed pnpm's bin-name guard. When a malicious packa… |
CVE-2026-55180 | Medium | 6.5 | 2026-06-25 | pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm and pacquet expanded ${ENV_VAR} placeholders from repository-controlled .npmrc and pnpm-workspace… |
CVE-2026-24056 | Medium | 6.5 | 2026-01-26 | pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target… |
CVE-2026-23890 | Medium | 6.5 | 2026-01-26 | pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable sh… |
CVE-2026-23889 | Medium | 6.5 | 2026-01-26 | pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outsi… |
CVE-2026-23888 | Medium | 6.5 | 2026-01-26 | pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside t… |