Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
| # | POC Description | Source Link | Shenlong Link |
|---|
No public POC found.
Login to generate AI POC| CVE-2026-50016 | 8.8 HIGH | pnpm: Transitive dependency alias path traversal allows project path override via symlink |
| CVE-2026-55698 | 8.8 HIGH | pnpm: Project env lockfile can short-circuit package-manager resolution and execute lockfi |
| CVE-2026-55487 | 7.5 HIGH | pnpm: manifest identity spoof satisfies allowBuilds and runs attacker lifecycle |
| CVE-2026-55697 | 7.5 HIGH | pnpm: Repository-controlled configDependencies can select a pacquet native install engine |
| CVE-2026-50015 | 7.3 HIGH | pnpm: Arbitrary File Write/Delete via Malicious Patch File (Path Traversal) |
| CVE-2026-55700 | 7.1 HIGH | pnpm: stage download writes outside destination via manifest version traversal |
| CVE-2026-50021 | 6.8 MEDIUM | pnpm: Integrity Check Bypass via Missing Lockfile Integrity Field |
| CVE-2026-55180 | 6.5 MEDIUM | pnpm: Repository config can expand victim environment secrets into registry requests befor |
| CVE-2026-55699 | 6.5 MEDIUM | pnpm: reserved bin name deletes PNPM_HOME during global remove |
| CVE-2026-50014 | 6.4 MEDIUM | pnpm: Git Fetch Argument Injection via Lockfile resolution.commit |
| CVE-2026-48995 | pnpm: Tarball hash of GitHub git dependencies is not stored in lockfile | |
| CVE-2026-50017 | pnpm binds unscoped user-level npm auth credentials to a repository-selected registry |
No comments yet