Directory Traversal Vulnerability in pnpm Package Manager
CVE-2026-59196
7.1HIGH
What is CVE-2026-59196?
The pnpm package manager is affected by a directory traversal vulnerability that allows crafted lockfile aliases to be improperly joined under a hoisted node_modules directory. This can lead to the potential escape from the intended directory structure. Additionally, certain reserved aliases—such as .bin or .pnpm—may overwrite pnpm's owned layout, presenting further security risks. This vulnerability has been addressed in versions 10.34.4 and 11.7.0.
Affected Version(s)
pnpm < 10.34.4 < 10.34.4
pnpm >= 11.0.0, < 11.7.0 < 11.0.0, 11.7.0
