CVE-2026-55698
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk9th percentile — higher than 9% of all known CVEs
Summary
pnpm package manager prior to versions 10.34.2 and 11.5.3 persists bootstrap metadata in the first YAML document of pnpm-lock.yaml. A malicious repository can bypass fresh package-manager resolution and cause pnpm to install and execute arbitrary code during automatic version switching.
Risk Assessment
An attacker can take control of the package installation process in a repository, leading to arbitrary code execution in development or CI/CD environments, potentially stealing data or compromising the system.
Recommendation
Immediately upgrade pnpm to version 10.34.2 or 11.5.3 (or later). After upgrading, verify the integrity of pnpm-lock.yaml files in repositories.
Original NVD description (English source)
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can persist package-manager bootstrap metadata in the first YAML document of pnpm-lock.yaml. Before the patch, direct pnpm execution trusted an already resolved packageManagerDependencies entry when the committed env lockfile contained matching pnpm and @pnpm/exe versions. A malicious repository could therefore commit package-manager lockfile package records and snapshots that bypassed fresh package-manager resolution, then cause pnpm to install and execute bytes selected by that committed lockfile state during automatic version switching. This vulnerability is fixed in 10.34.2 and 11.5.3.

