pkg:npm/pnpm

All known vulnerabilities

• HIGH8.8CVE-2025-69264pnpm v10+ Bypass "Dependency lifecycle scripts execution disabled by default"
  >= 10.0.0, < 10.26.0
• HIGH8.8CVE-2022-26183Untrusted Search Path in PNPM
  from 0, < 6.15.1
• HIGH7.5CVE-2025-69263pnpm Has Lockfile Integrity Bypass that Allows Remote Dynamic Dependencies
  from 0, < 10.26.0
• HIGH7.5CVE-2025-69262pnpm vulnerable to Command Injection via environment variable substitution
  >= 6.25.0, < 10.27.0
• HIGH7.5CVE-2023-37478pnpm incorrectly parses tar archives relative to specification
  from 0, < 7.33.4
• MEDIUM6.5CVE-2026-23888pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)
  from 0, < 10.28.1
• MEDIUM6.5CVE-2026-23889pnpm has Windows-specific tarball Path Traversal
  from 0, < 10.28.1
• MEDIUM6.5CVE-2026-23890pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin
  from 0, < 10.28.1
• MEDIUM6.5CVE-2026-24056pnpm has symlink traversal in file:/git dependencies
  from 0, < 10.28.2
• MEDIUM6.5CVE-2024-47829pnpm uses the md5 path shortening function causes packet paths to coincide, which causes indirect packet overwriting
  from 0, < 10.0.0
• —CVE-2026-24131pnpm has Path Traversal via arbitrary file permission modification
  from 0, < 10.28.2
• —CVE-2024-53866pnpm no-script global cache poisoning via overrides / `ignore-scripts` evasion
  from 0, < 9.15.0