CVE-2026-50016

EPSS -
Veröffentlicht 25.06.2026 16:53:16
Zuletzt bearbeitet 26.06.2026 05:16:29
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

pnpm: Transitive dependency alias path traversal allows project path override via symlink replacement

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses that alias as a filesystem path when linking dependency nodes. As a result, a registry package can cause `pnpm install --ignore-scripts` to replace paths in the current project with symlinks to attacker-controlled dependency package directories. This vulnerability is fixed in 10.34.0 and 11.4.0.

Betroffene Produkte Warnungen 0 Metriken 1 CWE 1 Referenzen 4

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerpnpm

≫

Produkt pnpm

Version < 10.33.4

Status affected

Version >= 11.0.0, < 11.4.0

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-23 Relative Path Traversal

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

https://github.com/pnpm/pnpm/security/advisories/GHSA-hwx4-2j3j-g496

https://nvd.nist.gov/vuln/detail/CVE-2026-50016

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-50016

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-50016

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-50016