VDB

CVE-2026-23890

CVE-2026-23890 PUBLISHED CVSS 6.5 MEDIUM

pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact. This issue affects all pnpm users who install npm packages and CI/CD pipelines using pnpm. It can lead to overwriting config files, scripts, or other sensitive files. Version 10.28.1 contains a patch.

EPSS 0.02% · 6.0th percentile

Risk Scores

CVSS v3.1
6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score
0.02%
6.0th percentile

Affected Products

VendorProductVersions
npmpnpm0, 0, 0
pnpmpnpm< 10.28.1, < 10.28.1, 0

Timeline

  • Jan 26, 2026 CVE Published
  • Jan 27, 2026 EPSS Score
  • Jan 27, 2026 PoC Published
  • Jan 29, 2026 CVE Updated
  • Jan 29, 2026 EPSS Score
  • Jan 30, 2026 Security Advisory
  • Feb 1, 2026 EPSS Score
  • Feb 3, 2026 EPSS Score
  • Feb 6, 2026 EPSS Score
  • Feb 8, 2026 EPSS Score
  • Feb 11, 2026 EPSS Score
  • Feb 13, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›