CVE-2026-23890

Name
CVE-2026-23890
Description
pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact. This issue affects all pnpm users who install npm packages and CI/CD pipelines using pnpm. It can lead to overwriting config files, scripts, or other sensitive files. Version 10.28.1 contains a patch.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
security-advisories@github.com https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d
security-advisories@github.com https://github.com/pnpm/pnpm/releases/tag/v10.28.1
security-advisories@github.com https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:pnpm:pnpm:*:*:*:*:*:node.js:*:* pnpm >= None < 10.28.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
pnpm edge-community 10.28.0-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.26.2-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.26.0-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.25.0-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.24.0-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.23.0-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.22.0-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.18.1-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.18.0-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.17.1-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.17.0-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.15.0-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.13.1-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.12.4-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.12.3-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.12.1-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.11.1-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.9.0-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.8.1-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.7.1-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.7.0-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.6.5-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.6.3-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.6.2-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.5.2-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.5.1-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.4.0-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.1.0-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 9.15.3-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 9.15.2-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 9.15.1-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 9.15.0-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 9.14.4-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm 3.23-community 10.24.0-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable