Shodan
Vulnerabilities
Vulnerable Software

Vulnerability Details CVE-2026-50016

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses that alias as a filesystem path when linking dependency nodes. As a result, a registry package can cause `pnpm install --ignore-scripts` to replace paths in the current project with symlinks to attacker-controlled dependency package directories. This vulnerability is fixed in 10.34.0 and 11.4.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 22.5%
CVSS Severity
CVSS v3 Score 8.8
Products affected by CVE-2026-50016
  • Pnpm » Pnpm » Version: 11.0.0
    cpe:2.3:a:pnpm:pnpm:11.0.0
  • Pnpm » Pnpm » Version: 11.0.1
    cpe:2.3:a:pnpm:pnpm:11.0.1
  • Pnpm » Pnpm » Version: 11.0.2
    cpe:2.3:a:pnpm:pnpm:11.0.2
  • Pnpm » Pnpm » Version: 11.0.3
    cpe:2.3:a:pnpm:pnpm:11.0.3
  • Pnpm » Pnpm » Version: 11.0.4
    cpe:2.3:a:pnpm:pnpm:11.0.4
  • Pnpm » Pnpm » Version: 11.0.5
    cpe:2.3:a:pnpm:pnpm:11.0.5
  • Pnpm » Pnpm » Version: 11.0.6
    cpe:2.3:a:pnpm:pnpm:11.0.6
  • Pnpm » Pnpm » Version: 11.0.7
    cpe:2.3:a:pnpm:pnpm:11.0.7
  • Pnpm » Pnpm » Version: 11.0.8
    cpe:2.3:a:pnpm:pnpm:11.0.8
  • Pnpm » Pnpm » Version: 11.0.9
    cpe:2.3:a:pnpm:pnpm:11.0.9
  • Pnpm » Pnpm » Version: 11.1.0
    cpe:2.3:a:pnpm:pnpm:11.1.0
  • Pnpm » Pnpm » Version: 11.1.1
    cpe:2.3:a:pnpm:pnpm:11.1.1
  • Pnpm » Pnpm » Version: 11.1.2
    cpe:2.3:a:pnpm:pnpm:11.1.2
  • Pnpm » Pnpm » Version: 11.1.3
    cpe:2.3:a:pnpm:pnpm:11.1.3
  • Pnpm » Pnpm » Version: 11.2.0
    cpe:2.3:a:pnpm:pnpm:11.2.0
  • Pnpm » Pnpm » Version: 11.2.1
    cpe:2.3:a:pnpm:pnpm:11.2.1
  • Pnpm » Pnpm » Version: 11.2.2
    cpe:2.3:a:pnpm:pnpm:11.2.2
  • Pnpm » Pnpm » Version: 11.3.0
    cpe:2.3:a:pnpm:pnpm:11.3.0


Products
Pricing
Contact Us

Shodan ® - All rights reserved