anonhaven
Ad

CVE-2026-23889

MEDIUM CVSS 3.1: 6.5 EPSS 0.01%
Updated Jan 28, 2026
Microsoft
Parameter Value
CVSS 6.5 (MEDIUM)
Affected Versions before 10.28.1
Fixed In 10.28.1
Type CWE-22 (Path Traversal)
Vendor Microsoft
Public PoC No

pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.\`.

On Windows, backslashes are directory separators, enabling path traversal. This vulnerability is Windows-only. This issue impacts Windows pnpm users and Windows CI/CD pipelines (GitHub Actions Windows runners, Azure DevOps).

It can lead to overwriting `.npmrc`, build configs, or other files. Version 10.28.1 contains a patch.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
Required
User action required

Impact Assessment

Confidentiality
None
No data leak
Integrity
High
Complete data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-22 Path Traversal

Vulnerable Products 2

Configuration From (including) Up to (excluding)
Pnpm Pnpm
cpe:2.3:a:pnpm:pnpm:*:*:*:*:*:node.js:*:*
 10.28.1
Microsoft Windows
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

References 3

https://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0
security-advisories@github.com
https://github.com/pnpm/pnpm/releases/tag/v10.28.1
security-advisories@github.com
https://github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-4680

Google

8.8

CVE-2026-4679

Google

8.8

CVE-2026-4678

Google

8.8

CVE-2026-4677

Google

8.8

CVE-2026-4676

Google

8.8