Security Intelligence
Feed

Real-time CVE tracking, exploit analysis, and vulnerability intelligence curated for security professionals.

289 New today

65,553 Total advisories

Live Monitoring

Daily Security Trends (Last 14 Days)

336

Jun 12

Jun 13

Jun 14

443

Jun 15

630

Jun 16

464

Jun 17

Jun 18

352

Jun 19

Jun 20

104

Jun 21

317

Jun 22

294

Jun 23

355

Jun 24

266

Jun 25

Critical

High

Medium

Low

Latest

CVE CVSS 8.8

pnpm: Project env lockfile can short-circuit package-manager resolution and execute lockfile-selected pnpm bytes_CVE-2026-55698

pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can persist package-manager bootstrap metadata in the first YAML document of pnpm-lock.yaml. Before the patch, direct pnpm execution trusted an already resolved packageManagerDependencies entry when the committed env...

CVE-2026-55698 pnpm pnpm < 10.34.2

Jun 25, 2026

Read analysis

Recent Advisories

Severity	ID	Title	Vendor	Product	Date	Type
HIGH 7.5	CVE-2026-55697	pnpm: Repository-controlled configDependencies can select a pacquet native install engine_CVE-2026-55697 pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can install configDependencies declared in pnpm-workspace.yaml before command dispatch...	pnpm	pnpm < 10.34.2	Jun 25, 2026	CVE
HIGH 7.5	CVE-2026-55487	pnpm: manifest identity spoof satisfies allowBuilds and runs attacker lifecycle_CVE-2026-55487 pnpm is a package manager. Prior to 10.34.2 and 11.5.3, the generic peer-suffix normalizer also stripped parenthesized text from git, URL, tarball,...	pnpm	pnpm < 10.34.2	Jun 25, 2026	CVE
MEDIUM 6.5	CVE-2026-55180	pnpm: Repository config can expand victim environment secrets into registry requests before scripts run_CVE-2026-55180 pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm and pacquet expanded ${ENV_VAR} placeholders from repository-controlled .npmrc and pnp...	pnpm	pnpm < 10.34.2	Jun 25, 2026	CVE
MEDIUM 6.9	CVE-2026-54679	jq: potential integer overflow in jvp_string_append_CVE-2026-54679 jq is a command-line JSON processor. Prior to 1.8.2, on 32bit system, jvp_string_append has a chance of integer/multiple overflowing and then causi...	jqlang	jq < 1.8.2	Jun 25, 2026	CVE
MEDIUM 6.8	CVE-2026-50573	pnpm: Unsafe default behavior breaks integrity check_CVE-2026-50573 pnpm is a package manager. Prior to 10.34.0 and 11.4.0, `pnpm install` in non-frozen mode can accept new remote package content after detecting tha...	pnpm	pnpm < 10.33.4	Jun 25, 2026	CVE
MEDIUM 6.8	CVE-2026-50021	pnpm: Integrity Check Bypass via Missing Lockfile Integrity Field_CVE-2026-50021 pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's tarball extraction worker skips integrity verification when the integrity field is a...	pnpm	pnpm < 10.34.0	Jun 25, 2026	CVE
MEDIUM 6.9	CVE-2026-50017	pnpm binds unscoped user-level npm auth credentials to a repository-selected registry_CVE-2026-50017 pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm can send user-level unscoped npm authentication credentials to a registry chosen by a ...	pnpm	pnpm < 10.33.4	Jun 25, 2026	CVE
HIGH 8.8	CVE-2026-50016	pnpm: Transitive dependency alias path traversal allows project path override via symlink replacement_CVE-2026-50016 pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm allows a transitive dependency alias from registry package metadata to contain path tr...	pnpm	pnpm < 10.33.4	Jun 25, 2026	CVE
HIGH 7.3	CVE-2026-50015	pnpm: Arbitrary File Write/Delete via Malicious Patch File (Path Traversal)_CVE-2026-50015 pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's patch application pipeline (@pnpm/patch-package) performs no path validation on file...	pnpm	pnpm < 10.33.4	Jun 25, 2026	CVE

Security IntelligenceFeed

Daily Security Trends (Last 14 Days)

pnpm: Project env lockfile can short-circuit package-manager resolution and execute lockfile-selected pnpm bytes_CVE-2026-55698

Recent Advisories

pnpm: Repository-controlled configDependencies can select a pacquet native install engine_CVE-2026-55697

pnpm: manifest identity spoof satisfies allowBuilds and runs attacker lifecycle_CVE-2026-55487

pnpm: Repository config can expand victim environment secrets into registry requests before scripts run_CVE-2026-55180

jq: potential integer overflow in jvp_string_append_CVE-2026-54679

pnpm: Unsafe default behavior breaks integrity check_CVE-2026-50573

pnpm: Integrity Check Bypass via Missing Lockfile Integrity Field_CVE-2026-50021

pnpm binds unscoped user-level npm auth credentials to a repository-selected registry_CVE-2026-50017

pnpm: Transitive dependency alias path traversal allows project path override via symlink replacement_CVE-2026-50016

pnpm: Arbitrary File Write/Delete via Malicious Patch File (Path Traversal)_CVE-2026-50015

Protect Your Attack Surface with RedGem

Security Intelligence
Feed