CVE-2026-50014

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

6.4 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N                                    

Vulnerability Description

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm passes the lockfile-controlled git resolution.commit value to git fetch without a -- separator or commit-format validation. For git dependencies fetched through the shallow-fetch path, a malicious lockfile can replace the expected 40-character commit hash with a Git option such as --upload-pack=<command>. For SSH and local transports, --upload-pack can execute the supplied command. HTTPS transports ignore --upload-pack, so the practical attack surface is primarily SSH or local git dependencies. This vulnerability is fixed in 10.34.0 and 11.4.0.

Vulnerability Details

Published Date

June 25, 2026

Last Modified

June 26, 2026

CWE ID

CWE-88

Source

NVD

Vendor

pnpm

Product

pnpm

External References

https://github.com/pnpm/pnpm/security/advisories/GHSA-p4xf-rf54-rj3x
https://github.com/pnpm/pnpm/security/advisories/GHSA-p4xf-rf54-rj3x

CVE-2026-50014

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment