← volver
CVE-2026-42089

yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation

CVSS 8.6 HIGHEPSS 0.1%CWE-829
Vexday Risk Score
41Atención
Decisión SSVC (CISA)
Attend
PoC disponible → seguir de cerca
CVSS 8.6EPSS 0.1%KEV nãoPoC públicaNuclei Metasploit Patch
Ciclo de vida
16 jun 2026Publicada en NVD
26 jun 2026PoC pública
Recomendación: Planificar corrección próxima — ya existe PoC pública.
Yeoman Environment provides an API to discover, create, and run generators, and to configure where and how a generator is resolved. Versions 2.9.0 through 6.0.0 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation and code execution during CLI bootstrap. The vulnerable method is installLocalGenerators(), which calls repository.install() directly without prompting the user. This issue has been fixed in version 6.0.0.
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Productos afectados
yeoman · environment
PoCs públicas encontradas1
githubgithub.com/0xmrma/CVE-2026-420890
⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/yeoman/environment/commit/78d2af7e60294784b8a8b3b3b5099c6874b6a1fahttps://github.com/yeoman/environment/pull/753https://github.com/yeoman/environment/security/advisories/GHSA-vv9j-gjw2-j8wp