PT-2026-55946 · Pnpm · Pnpm

Published

2026-07-06

·

Updated

2026-07-06

·

CVE-2026-59194

CVSS v3.1

7.1

High

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
pnpm is a package manager. Prior to 10.34.4 and 11.7.0, a crafted patch entry could resolve outside the configured patches directory and cause pnpm patch-remove to delete an arbitrary reachable file. This vulnerability is fixed in 10.34.4 and 11.7.0.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-59194

Affected Products

Pnpm