CVE-2026-55697

pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can install configDependencies declared in pnpm-workspace.yaml before command dispatch. Before the patch, a repository could declare pacquet or @pnpm/pacquet as a config dependency and pnpm treated that repository-controlled dependency as an install-engine opt-in. During install, pnpm resolved a platform-specific @pacquet/<platform>-<arch>/pacquet binary from node_modules/.pnpm-config/<packageName> and spawned it as the developer or CI user. This vulnerability is fixed in 10.34.2 and 11.5.3.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:pnpm:pnpm:*:*:*:*:*:node.js:*:*
cpe:2.3:a:pnpm:pnpm:*:*:*:*:*:node.js:*:*

History

30 Jun 2026, 19:04

Type Values Removed Values Added
CPE cpe:2.3:a:pnpm:pnpm:*:*:*:*:*:node.js:*:*
First Time Pnpm
Pnpm pnpm
References () https://github.com/pnpm/pnpm/security/advisories/GHSA-gj8w-mvpf-x27x - () https://github.com/pnpm/pnpm/security/advisories/GHSA-gj8w-mvpf-x27x - Exploit, Vendor Advisory

29 Jun 2026, 16:16

Type Values Removed Values Added
References () https://github.com/pnpm/pnpm/security/advisories/GHSA-gj8w-mvpf-x27x - () https://github.com/pnpm/pnpm/security/advisories/GHSA-gj8w-mvpf-x27x -

25 Jun 2026, 18:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-25 18:16

Updated : 2026-06-30 19:04


NVD link : CVE-2026-55697

Mitre link : CVE-2026-55697

CVE.ORG link : CVE-2026-55697


JSON object : View

Products Affected

pnpm

  • pnpm
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-494

Download of Code Without Integrity Check

CWE-829

Inclusion of Functionality from Untrusted Control Sphere