npm CVE Archive

pnpm CVE Vulnerabilities

All known CVEs affecting pnpm. Kodem’s runtime-powered SCA reveals which are actually reachable in your application.

Known vulnerabilities
CVE
Summary
Severity
CVE-2026-55700
pnpm: `stage download` writes outside its destination directory via manifest…
High
CVE-2026-55699
pnpm: Reserved bin name deletes PNPM_HOME during global remove
Medium
CVE-2026-55698
pnpm: Project env lockfile can short-circuit package-manager resolution and…
High
CVE-2026-55697
pnpm: Repository-controlled configDependencies can select a pacquet native…
High
CVE-2026-55487
pnpm: Manifest identity spoof satisfies allowBuilds and runs attacker lifecycle
High
CVE-2026-55180
pnpm: Repository config can expand victim environment secrets into registry…
Medium
CVE-2026-50015
pnpm Vulnerable to Arbitrary File Write/Delete via Malicious Patch File (Path…
High
CVE-2026-50016
pnpm: Transitive dependency alias path traversal allows project path override…
High
CVE-2026-50014
pnpm: Git Fetch Argument Injection via Lockfile resolution.commit
Medium
CVE-2026-50021
pnpm Has an Integrity Check Bypass via Missing Lockfile Integrity Field
Medium
CVE-2026-50573
pnpm: Unsafe default behavior breaks integrity check
Medium
CVE-2026-23888
pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip…
Medium
CVE-2026-23889
pnpm has Windows-specific tarball Path Traversal
Medium
CVE-2026-23890
pnpm scoped bin name Path Traversal allows arbitrary file creation outside…
Medium
CVE-2026-24056
pnpm has symlink traversal in file:/git dependencies
Medium
CVE-2025-69264
pnpm v10+ Bypass "Dependency lifecycle scripts execution disabled by default"
High
CVE-2025-69263
pnpm Has Lockfile Integrity Bypass that Allows Remote Dynamic Dependencies
High
CVE-2025-69262
pnpm vulnerable to Command Injection via environment variable substitution
High
CVE-2024-47829
pnpm uses the md5 path shortening function causes packet paths to coincide,…
Medium
CVE-2023-37478
pnpm incorrectly parses tar archives relative to specification
High
CVE-2022-26183
Untrusted Search Path in PNPM
High

Prioritize pnpm vulnerabilities

Kodem Kai can identify which of these CVEs are reachable in your dependency tree and generate targeted fix recommendations.

Get a demo →

Stop the waste.
Protect your environment with Kodem.

Get a personalized demo
Get a personalized demo