Insecure Package Management in pnpm Affects Dependency Integrity
CVE-2026-48995

4.8MEDIUM

Key Information:

Vendor: Pnpm
Status: Pnpm
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-48995?

The pnpm package manager is susceptible to a security issue where it fails to verify the integrity of packages fetched from codeload.github.com. Prior to versions 10.33.4 and 11.0.7, pnpm could install any tarball without validating its contents against the lockfile, posing a significant risk if the server or user environment is compromised. This flaw enables attackers to serve malicious code disguised as legitimate packages, leading to potential unauthorized access or data breaches. Upgrading to the fixed versions is crucial for maintaining software security.

Affected Version(s)

pnpm < 10.33.4 < 10.33.4

pnpm >= 11.0.0, < 11.0.7 < 11.0.0, 11.0.7

References

https://github.com/pnpm/pnpm/security/advisories/GHSA-hg3...

x_refsource_CONFIRM

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
May 26, 2026

CVE-2026-48995 Data

JSON

Pnpm

What is CVE-2026-48995?

Affected Version(s)

References

CVSS V4

Timeline