Directory Traversal Vulnerability in pnpm Package Manager by pnpm
CVE-2026-59194
7.1HIGH
What is CVE-2026-59194?
A directory traversal vulnerability in pnpm package manager allows an attacker to craft patch entries that can resolve outside of the intended patches directory. This could lead to arbitrary file deletion on the system where pnpm is executed, posing significant security risks. The issue was identified in versions prior to 10.34.4 and 11.7.0, and it has been addressed in subsequent updates. Users are strongly advised to upgrade to the latest versions to mitigate this risk.
Affected Version(s)
pnpm < 10.34.4 < 10.34.4
pnpm >= 11.0.0, < 11.7.0 < 11.0.0, 11.7.0
