Every CVE whose affected-product data names Yarnpkg Yarn, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (7)
CVE-2019-5448 — CVSS 8.1 (high): Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication…
CVE-2019-10773 — CVSS 7.8 (high): In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using…
CVE-2021-4435 — CVSS 7.7 (high): An untrusted search path vulnerability was found in Yarn. When a victim runs certain Yarn commands in a directory with attacker-controlled…
CVE-2020-8131 — CVSS 7.5 (high): Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead…
CVE-2019-15608 — CVSS 5.9 (medium): The package integrity validation in yarn < 1.19.0 contains a TOCTOU vulnerability where the hash is computed before writing a package to…
CVE-2025-8262 — CVSS 4.3 (medium): A vulnerability was found in yarnpkg Yarn up to 1.22.22. It has been classified as problematic. Affected is the function…
CVE-2025-9308 — CVSS 3.3 (low): A vulnerability has been found in yarnpkg Yarn up to 1.22.22. This impacts the function setOptions of the file src/util/request-manager.js…