pnpm

18 known vulnerabilities · 0 critical · 2 high

CVE-2026-23889

pnpm has Windows-specific tarball Path Traversal

Published Jan 26, 2026

CVE-2025-69264

pnpm v10+ Bypass "Dependency lifecycle scripts execution disabled by default"

Published Jan 7, 2026

CVE-2026-23888

pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)

Published Jan 26, 2026

CVE-2022-26183HIGH

Untrusted Search Path in PNPM

Published Mar 23, 2022

CVE-2026-23890

pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin

Published Jan 26, 2026

CVE-2026-24056

pnpm has symlink traversal in file:/git dependencies

Published Jan 26, 2026

CVE-2025-69262

pnpm vulnerable to Command Injection via environment variable substitution

Published Jan 7, 2026

CVE-2026-24131

pnpm has Path Traversal via arbitrary file permission modification

Published Jan 26, 2026

CVE-2024-53866

pnpm no-script global cache poisoning via overrides / `ignore-scripts` evasion

Published Dec 10, 2024

CVE-2025-69263

pnpm Has Lockfile Integrity Bypass that Allows Remote Dynamic Dependencies

Published Jan 7, 2026

CVE-2023-37478HIGH

pnpm incorrectly parses tar archives relative to specification

Published Aug 1, 2023

MAL-2024-9302

Malicious code in ship_sleepnpm-tool (npm)

Published Oct 16, 2024

MAL-2022-5384

Malicious code in pnpm-local-install (npm)

Published Jun 20, 2022

MAL-2024-12022

Malicious code in pnpm-run (npm)

Published Dec 19, 2024

GHSA-w6wx-jq6j-6mcj

OpenClaw: pnpm dlx approvals did not bind local script operands

Published Apr 7, 2026

MAL-2026-2668

Malicious code in pnpm-workspaces (npm)

Published Apr 14, 2026

MAL-2026-4084

Malicious code in @antv/semantic-release-pnpm (npm)

Published May 19, 2026

MAL-2025-1256

Malicious code in pnpm-sync-api-tests (npm)

Published Feb 7, 2025

Check your entire dependency tree at onceRun dependency scan →