Directory Traversal Vulnerability in pnpm Package Manager
CVE-2026-59196

7.1HIGH

Key Information:

Vendor

Pnpm

Status
Vendor
CVE Published:
6 July 2026

What is CVE-2026-59196?

The pnpm package manager is affected by a directory traversal vulnerability that allows crafted lockfile aliases to be improperly joined under a hoisted node_modules directory. This can lead to the potential escape from the intended directory structure. Additionally, certain reserved aliases—such as .bin or .pnpm—may overwrite pnpm's owned layout, presenting further security risks. This vulnerability has been addressed in versions 10.34.4 and 11.7.0.

Affected Version(s)

pnpm < 10.34.4 < 10.34.4

pnpm >= 11.0.0, < 11.7.0 < 11.0.0, 11.7.0

References

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.