CVE Catalog

CVE-2026-55700

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.26%

17th percentile — higher than 17% of all known CVEs

Summary

The pnpm package manager from version 11.3.0 to 11.5.3 has a vulnerability where the `pnpm stage download` command derived a local filename from registry-controlled package name and version fields. A crafted manifest could escape the selected download directory and overwrite another reachable file.

Risk Assessment

An attacker could overwrite any file on the system accessible by the user running pnpm, potentially leading to data integrity compromise or arbitrary code execution.

Recommendation

Immediately upgrade pnpm to version 11.5.3 or later, which includes a fix that validates both fields, derives a safe filename, and verifies the final destination before writing.

Original NVD description (English source)

pnpm is a package manager. From 11.3.0 until 11.5.3, `pnpm stage download` derived a local filename from registry-controlled package name and version fields. A crafted manifest could escape the selected download directory and overwrite another reachable file. The merged fix validates both fields, derives one safe filename, and verifies the final destination before writing. This vulnerability is fixed in 11.5.3.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS