Cross-Site Scripting in pnpm Affects Multiple Versions
CVE-2026-59195
8.2HIGH
What is CVE-2026-59195?
The pnpm package manager is susceptible to a path traversal vulnerability that can be exploited through crafted package names in the env lockfile’s configDependencies section. By leveraging this flaw, a malicious actor can manipulate the pnpm-lock.yaml file to introduce a crafted config dependency name, causing pnpm to create symbolic links in the node_modules/.pnpm-config directory that point to unintended locations. This allows for potential code execution or unauthorized access to sensitive files. Versions prior to 10.34.4 and 11.8.0 have been patched to mitigate this risk.
Affected Version(s)
pnpm < 10.34.4 < 10.34.4
pnpm >= 11.0.0, < 11.8.0 < 11.0.0, 11.8.0
