CVE-2026-55700
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk17th percentile — higher than 17% of all known CVEs
Summary
The pnpm package manager from version 11.3.0 to 11.5.3 has a vulnerability where the `pnpm stage download` command derived a local filename from registry-controlled package name and version fields. A crafted manifest could escape the selected download directory and overwrite another reachable file.
Risk Assessment
An attacker could overwrite any file on the system accessible by the user running pnpm, potentially leading to data integrity compromise or arbitrary code execution.
Recommendation
Immediately upgrade pnpm to version 11.5.3 or later, which includes a fix that validates both fields, derives a safe filename, and verifies the final destination before writing.
Original NVD description (English source)
pnpm is a package manager. From 11.3.0 until 11.5.3, `pnpm stage download` derived a local filename from registry-controlled package name and version fields. A crafted manifest could escape the selected download directory and overwrite another reachable file. The merged fix validates both fields, derives one safe filename, and verifies the final destination before writing. This vulnerability is fixed in 11.5.3.

