Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Mon, 06 Jul 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Mon, 06 Jul 2026 16:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Pnpm
Pnpm pnpm |
|
| Vendors & Products |
Pnpm
Pnpm pnpm |
Mon, 06 Jul 2026 15:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | pnpm is a package manager. Prior to 10.34.4 and 11.7.0, a crafted lockfile alias could be joined directly under a hoisted node_modules directory. Traversal aliases could escape that directory, while reserved aliases such as .bin or .pnpm could overwrite pnpm-owned layout. This vulnerability is fixed in 10.34.4 and 11.7.0. | |
| Title | pnpm: hoisted install imports lockfile alias outside node_modules | |
| Weaknesses | CWE-22 CWE-73 |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-06T15:40:34.708Z
Reserved: 2026-07-02T19:53:48.831Z
Link: CVE-2026-59196
Updated: 2026-07-06T15:40:29.371Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-06T16:30:03Z