CVE-2026-48995
pnpm: Tarball hash of GitHub git dependencies is not stored in lockfile
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
pnpm is a package manager. Prior to 10.33.4 and 11.0.7, a malicious codeload.github.com server can serve whatever tarball it wants and pnpm will install it regardless of the lockfile. The lockfile does not store the hash of the dependencies from https://codeload.github.com. This means that if this server was compromised or a person's machine configuration was compromised, pnpm would download and install these dependencies. This vulnerability is fixed in 10.33.4 and 11.0.7.
| CWE | CWE-353 |
| Vendor | pnpm |
| Product | pnpm |
| Published | Jun 25, 2026 |
| Last Updated | Jun 26, 2026 |
Stay Ahead of the Next One
Get instant alerts for pnpm pnpm
Be the first to know when new unknown vulnerabilities affecting pnpm pnpm are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
pnpm / pnpm
< 10.33.4 >= 11.0.0, < 11.0.7