Vulnerability Details CVE-2026-55697
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can install configDependencies declared in pnpm-workspace.yaml before command dispatch. Before the patch, a repository could declare pacquet or @pnpm/pacquet as a config dependency and pnpm treated that repository-controlled dependency as an install-engine opt-in. During install, pnpm resolved a platform-specific @pacquet/<platform>-<arch>/pacquet binary from node_modules/.pnpm-config/<packageName> and spawned it as the developer or CI user. This vulnerability is fixed in 10.34.2 and 11.5.3.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 1.9%
CVSS Severity
CVSS v3 Score 7.5
Products affected by CVE-2026-55697
-
cpe:2.3:a:pnpm:pnpm:11.0.0
-
cpe:2.3:a:pnpm:pnpm:11.0.1
-
cpe:2.3:a:pnpm:pnpm:11.0.2
-
cpe:2.3:a:pnpm:pnpm:11.0.3
-
cpe:2.3:a:pnpm:pnpm:11.0.4
-
cpe:2.3:a:pnpm:pnpm:11.0.5
-
cpe:2.3:a:pnpm:pnpm:11.0.6
-
cpe:2.3:a:pnpm:pnpm:11.0.7
-
cpe:2.3:a:pnpm:pnpm:11.0.8
-
cpe:2.3:a:pnpm:pnpm:11.0.9
-
cpe:2.3:a:pnpm:pnpm:11.1.0
-
cpe:2.3:a:pnpm:pnpm:11.1.1
-
cpe:2.3:a:pnpm:pnpm:11.1.2
-
cpe:2.3:a:pnpm:pnpm:11.1.3
-
cpe:2.3:a:pnpm:pnpm:11.2.0
-
cpe:2.3:a:pnpm:pnpm:11.2.1
-
cpe:2.3:a:pnpm:pnpm:11.2.2
-
cpe:2.3:a:pnpm:pnpm:11.3.0
-
cpe:2.3:a:pnpm:pnpm:11.4.0
-
cpe:2.3:a:pnpm:pnpm:11.5.0
-
cpe:2.3:a:pnpm:pnpm:11.5.1
-
cpe:2.3:a:pnpm:pnpm:11.5.2