CVE-2026-48995
HIGHDescription
pnpm is a package manager. Prior to 10.33.4 and 11.0.7, a malicious codeload.github.com server can serve whatever tarball it wants and pnpm will install it regardless of the lockfile. The lockfile does not store the hash of the dependencies from https://codeload.github.com. This means that if this server was compromised or a person's machine configuration was compromised, pnpm would download and install these dependencies. This vulnerability is fixed in 10.33.4 and 11.0.7.
CVSS v3.1 Score
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| pnpm | pnpm |
| pnpm | pnpm |
References
Advisories & Patches
Frequently Asked Questions
What is CVE-2026-48995? +
How severe is CVE-2026-48995? +
What products are affected by CVE-2026-48995? +
How do I check if I'm vulnerable to CVE-2026-48995? +
Related Vulnerabilities
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to 3.9.5, deterministic AES-192-CBC with a fixed zero IV, constant KDF salt, and …
Diebold Nixdorf Vynamic Security Suite through 4.3.0 SR01 does not validate file attributes or the contents of /root during integrity …
The issue was addressed with improved checks. This issue is fixed in iOS 16.7.8 and iPadOS 16.7.8, iOS 17.5 and …
Dell BIOS contains a missing support for integrity check vulnerability. An attacker with physical access to the system could potentially …
A missing file integrity check vulnerability exists on MacOS F5 VPN browser client installer that may allow a local, authenticated …
KeePassXC-Browser thru 1.9.9.2 autofills or prompts to fill stored credentials into documents rendered under a browser-enforced CSP directive and iframe …