Local Code Execution Vulnerability in Yeoman Environment Products
CVE-2026-42089

8.6HIGH

Key Information:

Vendor

Yeoman

Status
Environment
Vendor
CVE Published:
16 June 2026

What is CVE-2026-42089?

The Yeoman Environment is susceptible to a significant vulnerability where it installs local generator packages derived from user-supplied package names without seeking user confirmation. This flaw affects versions 2.9.0 through 6.0.0, permitting attackers to inject malicious project configurations. Consequently, this can lead to arbitrary code execution during the command-line interface (CLI) bootstrap process, thereby exposing a system to potential threats. The method in question, installLocalGenerators(), directly invokes repository.install() without any user prompts. A patch has been implemented in version 6.0.0 to rectify this issue.

Affected Version(s)

environment >= 2.9.0, < 6.0.1

References

https://github.com/yeoman/environment/security/advisories...
x_refsource_CONFIRM
https://github.com/yeoman/environment/pull/753
x_refsource_MISC
https://github.com/yeoman/environment/commit/78d2af7e6029...
x_refsource_MISC

CVSS V3.1

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.