Command Injection Risk in pnpm Package Manager by pnpm
CVE-2026-50014

6.4MEDIUM

Key Information:

Vendor: Pnpm
Status: Pnpm
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-50014?

The pnpm package manager allows command injection through its handling of lockfile-controlled Git resolutions. In versions prior to 10.34.0 and 11.4.0, a malicious actor could manipulate the lockfile to replace the intended 40-character commit hash with a Git option such as --upload-pack=. This could lead to unauthorized command execution when fetching dependencies via SSH or local transports, increasing the risk of malicious code execution within the project. Users are advised to upgrade to the patched versions to mitigate this significant security risk.

Affected Version(s)

pnpm < 10.33.4 < 10.33.4

pnpm >= 11.0.0, < 11.4.0 < 11.0.0, 11.4.0

References

https://github.com/pnpm/pnpm/security/advisories/GHSA-p4x...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 2, 2026

CVE-2026-50014 Data

JSON

Pnpm

What is CVE-2026-50014?

Affected Version(s)

References

CVSS V3.1

Timeline