Vulnerabilities in pnpm
24 resultsCVE-2024-53866MEDIUMpnpm vulnerable to no-script global cache poisoning via overrides / `ignore-scripts` evasionEPSS 0.9%CVE-2025-69262HIGHpnpm vulnerable to Command Injection via environment variable substitutionEPSS 0.9%CVE-2023-37478HIGHpnpm incorrectly parses tar archives relative to specificationEPSS 0.9%CVE-2025-69264HIGHpnpm v10+ Bypass "Dependency lifecycle scripts execution disabled by default"EPSS 0.8%CVE-2026-24056MEDIUMpnpm has symlink traversal in file:/git dependenciesEPSS 0.5%CVE-2026-23890MEDIUMpnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.binEPSS 0.4%CVE-2026-23889MEDIUMpnpm has Windows-specific tarball Path TraversalEPSS 0.4%CVE-2026-23888MEDIUMpnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)EPSS 0.4%CVE-2026-50017MEDIUMpnpm binds unscoped user-level npm auth credentials to a repository-selected registryEPSS 0.3%CVE-2026-50016HIGHpnpm: Transitive dependency alias path traversal allows project path override via symlink replacementEPSS 0.3%CVE-2026-55699MEDIUMpnpm: reserved bin name deletes PNPM_HOME during global removeEPSS 0.3%CVE-2026-55700HIGHpnpm: stage download writes outside destination via manifest version traversalEPSS 0.3%CVE-2026-50015HIGHpnpm: Arbitrary File Write/Delete via Malicious Patch File (Path Traversal)EPSS 0.3%CVE-2026-24131MEDIUMpnpm has Path Traversal via arbitrary file permission modificationEPSS 0.2%CVE-2025-69263HIGHpnpm Lockfile Integrity Bypass Allows Remote Dynamic DependenciesEPSS 0.2%CVE-2026-55180MEDIUMpnpm: Repository config can expand victim environment secrets into registry requests before scripts runEPSS 0.2%CVE-2024-47829MEDIUMpnpm uses the md5 path shortening function causes packet paths to coincide, which causes indirect packet overwritingEPSS 0.2%CVE-2026-55698HIGHpnpm: Project env lockfile can short-circuit package-manager resolution and execute lockfile-selected pnpm bytesEPSS 0.2%CVE-2026-50014MEDIUMpnpm: Git Fetch Argument Injection via Lockfile resolution.commitEPSS 0.2%CVE-2026-48995MEDIUMpnpm: Tarball hash of GitHub git dependencies is not stored in lockfileEPSS 0.1%