Security Intelligence
Feed

Real-time CVE tracking, exploit analysis, and vulnerability intelligence curated for security professionals.

308 New today

65,585 Total advisories

Live Monitoring

Daily Security Trends (Last 14 Days)

336

Jun 12

Jun 13

Jun 14

443

Jun 15

630

Jun 16

464

Jun 17

Jun 18

352

Jun 19

Jun 20

104

Jun 21

317

Jun 22

294

Jun 23

355

Jun 24

298

Jun 25

Critical

High

Medium

Low

Latest

CVE CVSS 7.1

pnpm: stage download writes outside destination via manifest version traversal_CVE-2026-55700

pnpm is a package manager. From 11.3.0 until 11.5.3, `pnpm stage download` derived a local filename from registry-controlled package name and version fields. A crafted manifest could escape the selected download directory and overwrite another reachable file. The merged fix va...

CVE-2026-55700 pnpm pnpm >= 11.3.0, < 11.5.3

Jun 25, 2026

Read analysis

Recent Advisories

Severity	ID	Title	Vendor	Product	Date	Type
MEDIUM 6.5	CVE-2026-55699	pnpm: reserved bin name deletes PNPM_HOME during global remove_CVE-2026-55699 pnpm is a package manager. Prior to 10.34.2 and 11.5.3, Manifest bin object keys such as "", ".", and ".." passed pnpm's bin-name guard. When a mal...	pnpm	pnpm < 10.34.2	Jun 25, 2026	CVE
HIGH 8.8	CVE-2026-55698	pnpm: Project env lockfile can short-circuit package-manager resolution and execute lockfile-selected pnpm bytes_CVE-2026-55698 pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can persist package-manager bootstrap metadata in the first YAML document of pnpm-lock...	pnpm	pnpm < 10.34.2	Jun 25, 2026	CVE
HIGH 7.5	CVE-2026-55697	pnpm: Repository-controlled configDependencies can select a pacquet native install engine_CVE-2026-55697 pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can install configDependencies declared in pnpm-workspace.yaml before command dispatch...	pnpm	pnpm < 10.34.2	Jun 25, 2026	CVE
HIGH 7.5	CVE-2026-55487	pnpm: manifest identity spoof satisfies allowBuilds and runs attacker lifecycle_CVE-2026-55487 pnpm is a package manager. Prior to 10.34.2 and 11.5.3, the generic peer-suffix normalizer also stripped parenthesized text from git, URL, tarball,...	pnpm	pnpm < 10.34.2	Jun 25, 2026	CVE
MEDIUM 6.5	CVE-2026-55180	pnpm: Repository config can expand victim environment secrets into registry requests before scripts run_CVE-2026-55180 pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm and pacquet expanded ${ENV_VAR} placeholders from repository-controlled .npmrc and pnp...	pnpm	pnpm < 10.34.2	Jun 25, 2026	CVE
MEDIUM 6.9	CVE-2026-54679	jq: potential integer overflow in jvp_string_append_CVE-2026-54679 jq is a command-line JSON processor. Prior to 1.8.2, on 32bit system, jvp_string_append has a chance of integer/multiple overflowing and then causi...	jqlang	jq < 1.8.2	Jun 25, 2026	CVE
MEDIUM 6.8	CVE-2026-50573	pnpm: Unsafe default behavior breaks integrity check_CVE-2026-50573 pnpm is a package manager. Prior to 10.34.0 and 11.4.0, `pnpm install` in non-frozen mode can accept new remote package content after detecting tha...	pnpm	pnpm < 10.33.4	Jun 25, 2026	CVE
MEDIUM 6.8	CVE-2026-50021	pnpm: Integrity Check Bypass via Missing Lockfile Integrity Field_CVE-2026-50021 pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's tarball extraction worker skips integrity verification when the integrity field is a...	pnpm	pnpm < 10.34.0	Jun 25, 2026	CVE
MEDIUM 6.9	CVE-2026-50017	pnpm binds unscoped user-level npm auth credentials to a repository-selected registry_CVE-2026-50017 pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm can send user-level unscoped npm authentication credentials to a registry chosen by a ...	pnpm	pnpm < 10.33.4	Jun 25, 2026	CVE

Security IntelligenceFeed

Daily Security Trends (Last 14 Days)

pnpm: stage download writes outside destination via manifest version traversal_CVE-2026-55700

Recent Advisories

pnpm: reserved bin name deletes PNPM_HOME during global remove_CVE-2026-55699

pnpm: Project env lockfile can short-circuit package-manager resolution and execute lockfile-selected pnpm bytes_CVE-2026-55698

pnpm: Repository-controlled configDependencies can select a pacquet native install engine_CVE-2026-55697

pnpm: manifest identity spoof satisfies allowBuilds and runs attacker lifecycle_CVE-2026-55487

pnpm: Repository config can expand victim environment secrets into registry requests before scripts run_CVE-2026-55180

jq: potential integer overflow in jvp_string_append_CVE-2026-54679

pnpm: Unsafe default behavior breaks integrity check_CVE-2026-50573

pnpm: Integrity Check Bypass via Missing Lockfile Integrity Field_CVE-2026-50021

pnpm binds unscoped user-level npm auth credentials to a repository-selected registry_CVE-2026-50017

Protect Your Attack Surface with RedGem

Security Intelligence
Feed