HIGH8.8CVE-2025-69264pnpm v10+ Bypass "Dependency lifecycle scripts execution disabled by default" >= 10.0.0, < 10.26.0
from 0, < 6.15.1
HIGH7.5CVE-2025-69263pnpm Has Lockfile Integrity Bypass that Allows Remote Dynamic Dependencies from 0, < 10.26.0
HIGH7.5pnpm vulnerable to Command Injection via environment variable substitution
>= 6.25.0, < 10.27.0
HIGH7.5pnpm incorrectly parses tar archives relative to specification
from 0, < 7.33.4
MEDIUM6.5pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)
from 0, < 10.28.1
MEDIUM6.5pnpm has Windows-specific tarball Path Traversal
from 0, < 10.28.1
MEDIUM6.5pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin
from 0, < 10.28.1
MEDIUM6.5pnpm has symlink traversal in file:/git dependencies
from 0, < 10.28.2
MEDIUM6.5pnpm uses the md5 path shortening function causes packet paths to coincide, which causes indirect packet overwriting
from 0, < 10.0.0
—pnpm has Path Traversal via arbitrary file permission modification
from 0, < 10.28.2
—pnpm no-script global cache poisoning via overrides / `ignore-scripts` evasion
from 0, < 9.15.0