Path Traversal Vulnerability in pnpm Package Manager
CVE-2026-55700

7.1HIGH

Key Information:

Vendor: Pnpm
Status: Pnpm
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-55700?

The pnpm package manager versions 11.3.0 to 11.5.3 exhibit a vulnerability where, through the pnpm stage download command, crafted manifests can derive local filenames from registry-controlled package names and version fields. This could allow an attacker to escape the designated download directory, leading to the potential overwriting of other accessible files. The issue has been addressed in version 11.5.3, which implements validation for both fields, ensuring that only safe filenames are derived, and verifying the target destination prior to writing any files.

Affected Version(s)

pnpm >= 11.3.0, < 11.5.3

References

https://github.com/pnpm/pnpm/security/advisories/GHSA-v23...

x_refsource_CONFIRM

https://github.com/pnpm/pnpm/pull/12303

x_refsource_MISC

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 17, 2026

CVE-2026-55700 Data

JSON

Pnpm

What is CVE-2026-55700?

Affected Version(s)

References

CVSS V3.1

Timeline