CNNVD-202601-4324 Information

CNNVD ID

CNNVD-202601-4324

Related CVE

CVE-2026-23890

• CNNVD Published: 2026-01-26

Description (Chinese)

pnpm是pnpm开源的一个包管理器。 pnpm 10.28.1之前版本存在安全漏洞，该漏洞源于二进制链接存在路径遍历，可能导致恶意npm包在node_modules/.bin外创建可执行文件或符号链接。

Description (English)

pnpm is a package manager for pnpm open source. There was a security loophole in the pre-pnpm10.28.1 version, which stemmed from the existence of binary links, which could lead to malicious npm packs creating an executable or a symbol link outside node modules/.bin.

Hazard Level

High

Vulnerability Type

其他

Affected Vendor

pnpm

Published

2026-01-26

Last Modified

2026-02-24

References

https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d https://github.com/pnpm/pnpm/releases/tag/v10.28.1 https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h

Patch

https://github.com/pnpm/pnpm/releases