Directory Traversal Vulnerability in pnpm Package Manager by pnpm
CVE-2026-59194

7.1HIGH

Key Information:

Vendor

Pnpm

Status
Vendor
CVE Published:
6 July 2026

What is CVE-2026-59194?

A directory traversal vulnerability in pnpm package manager allows an attacker to craft patch entries that can resolve outside of the intended patches directory. This could lead to arbitrary file deletion on the system where pnpm is executed, posing significant security risks. The issue was identified in versions prior to 10.34.4 and 11.7.0, and it has been addressed in subsequent updates. Users are strongly advised to upgrade to the latest versions to mitigate this risk.

Affected Version(s)

pnpm < 10.34.4 < 10.34.4

pnpm >= 11.0.0, < 11.7.0 < 11.0.0, 11.7.0

References

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.