CVE-2026-55697

EPSS -
Veröffentlicht 25.06.2026 16:42:08
Zuletzt bearbeitet 26.06.2026 05:16:30
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

pnpm: Repository-controlled configDependencies can select a pacquet native install engine

pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can install configDependencies declared in pnpm-workspace.yaml before command dispatch. Before the patch, a repository could declare pacquet or @pnpm/pacquet as a config dependency and pnpm treated that repository-controlled dependency as an install-engine opt-in. During install, pnpm resolved a platform-specific @pacquet/<platform>-<arch>/pacquet binary from node_modules/.pnpm-config/<packageName> and spawned it as the developer or CI user. This vulnerability is fixed in 10.34.2 and 11.5.3.

Betroffene Produkte Warnungen 0 Metriken 1 CWE 3 Referenzen 4

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerpnpm

≫

Produkt pnpm

Version < 10.34.2

Status affected

Version >= 11.0.0, < 11.5.3

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.5	1.6	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-494 Download of Code Without Integrity Check

The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CWE-829 Inclusion of Functionality from Untrusted Control Sphere

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

https://github.com/pnpm/pnpm/security/advisories/GHSA-gj8w-mvpf-x27x

https://nvd.nist.gov/vuln/detail/CVE-2026-55697

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-55697

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-55697

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-55697