Vulnerabilities in pnpm
11 resultsCVE-2024-53866MEDIUMpnpm vulnerable to no-script global cache poisoning via overrides / `ignore-scripts` evasionEPSS 0.9%CVE-2025-69262HIGHpnpm vulnerable to Command Injection via environment variable substitutionEPSS 0.9%CVE-2023-37478HIGHpnpm incorrectly parses tar archives relative to specificationEPSS 0.9%CVE-2025-69264HIGHpnpm v10+ Bypass "Dependency lifecycle scripts execution disabled by default"EPSS 0.8%CVE-2026-24056MEDIUMpnpm has symlink traversal in file:/git dependenciesEPSS 0.5%CVE-2026-23890MEDIUMpnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.binEPSS 0.4%CVE-2026-23889MEDIUMpnpm has Windows-specific tarball Path TraversalEPSS 0.4%CVE-2026-23888MEDIUMpnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)EPSS 0.4%CVE-2026-24131MEDIUMpnpm has Path Traversal via arbitrary file permission modificationEPSS 0.2%CVE-2025-69263HIGHpnpm Lockfile Integrity Bypass Allows Remote Dynamic DependenciesEPSS 0.2%CVE-2024-47829MEDIUMpnpm uses the md5 path shortening function causes packet paths to coincide, which causes indirect packet overwritingEPSS 0.2%