CVE-2026-48995

Severity CVSS v4.0:
MEDIUM
Type:
Unavailable / Other
Publication date:
25/06/2026
Last modified:
29/06/2026

Description

pnpm is a package manager. Prior to 10.33.4 and 11.0.7, a malicious codeload.github.com server can serve whatever tarball it wants and pnpm will install it regardless of the lockfile. The lockfile does not store the hash of the dependencies from https://codeload.github.com. This means that if this server was compromised or a person's machine configuration was compromised, pnpm would download and install these dependencies. This vulnerability is fixed in 10.33.4 and 11.0.7.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:pnpm:pnpm:*:*:*:*:*:node.js:*:* 10.33.4 (excluding)
cpe:2.3:a:pnpm:pnpm:*:*:*:*:*:node.js:*:* 11.0.0 (including) 11.0.7 (excluding)