CVE-2026-48995

Vulnerability Description

pnpm is a package manager. Prior to 10.33.4 and 11.0.7, a malicious codeload.github.com server can serve whatever tarball it wants and pnpm will install it regardless of the lockfile. The lockfile does not store the hash of the dependencies from https://codeload.github.com. This means that if this server was compromised or a person's machine configuration was compromised, pnpm would download and install these dependencies. This vulnerability is fixed in 10.33.4 and 11.0.7.

Vulnerability Details

Published Date

June 25, 2026

Last Modified

June 26, 2026

CWE ID

CWE-353

Source

NVD

Vendor

pnpm

Product

pnpm

External References

https://github.com/pnpm/pnpm/security/advisories/GHSA-hg3w-7f8c-63hp
https://github.com/pnpm/pnpm/security/advisories/GHSA-hg3w-7f8c-63hp

CVE-2026-48995

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment