Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package pnpm, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (12)
CVE-2024-53866 — CVSS 9.8 (critical): The package manager pnpm prior to version 9.15.0 seems to mishandle overrides and global cache: Overrides from one workspace leak into npm…
CVE-2022-26183 — CVSS 8.8 (high): PNPM v6.15.1 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when…
CVE-2025-69264 — CVSS 8.8 (high): pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install…
CVE-2025-69263 — CVSS 7.5 (high): pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without…
CVE-2023-37478 — CVSS 7.5 (high): pnpm is a package manager. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when…
CVE-2025-69262 — CVSS 7.5 (high): pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable…
CVE-2026-23890 — CVSS 6.5 (medium): pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to…
CVE-2026-24056 — CVSS 6.5 (medium): pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and…
CVE-2024-47829 — CVSS 6.5 (medium): pnpm is a package manager. Prior to version 10.0.0, the path shortening function uses the md5 function as a path shortening compression…
CVE-2026-23888 — CVSS 6.5 (medium): pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's binary fetcher allows malicious packages to…
CVE-2026-23889 — CVSS 6.5 (medium): pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's tarball extraction allows malicious packages…
CVE-2026-24131 — CVSS 5.5 (medium): pnpm is a package manager. Prior to version 10.28.2, when pnpm processes a package's `directories.bin` field, it uses `path.join()` without…