{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23889", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-16T21:02:02.902Z", "datePublished": "2026-01-26T21:50:55.289Z", "dateUpdated": "2026-01-27T21:40:36.271Z"}, "containers": {"cna": {"title": "pnpm has Windows-specific tarball Path Traversal", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p"}, {"name": "https://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0", "tags": ["x_refsource_MISC"], "url": "https://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0"}, {"name": "https://github.com/pnpm/pnpm/releases/tag/v10.28.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/pnpm/pnpm/releases/tag/v10.28.1"}], "affected": [{"vendor": "pnpm", "product": "pnpm", "versions": [{"version": "< 10.28.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-26T22:00:18.657Z"}, "descriptions": [{"lang": "en", "value": "pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.\\`. On Windows, backslashes are directory separators, enabling path traversal. This vulnerability is Windows-only. This issue impacts Windows pnpm users and Windows CI/CD pipelines (GitHub Actions Windows runners, Azure DevOps). It can lead to overwriting `.npmrc`, build configs, or other files. Version 10.28.1 contains a patch."}], "source": {"advisory": "GHSA-6x96-7vc8-cm3p", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T21:40:27.399595Z", "id": "CVE-2026-23889", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T21:40:36.271Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23889", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-16T21:02:02.902Z", "datePublished": "2026-01-26T21:50:55.289Z", "dateUpdated": "2026-01-27T21:40:36.271Z"}, "containers": {"cna": {"title": "pnpm has Windows-specific tarball Path Traversal", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p"}, {"name": "https://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0", "tags": ["x_refsource_MISC"], "url": "https://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0"}, {"name": "https://github.com/pnpm/pnpm/releases/tag/v10.28.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/pnpm/pnpm/releases/tag/v10.28.1"}], "affected": [{"vendor": "pnpm", "product": "pnpm", "versions": [{"version": "< 10.28.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-26T22:00:18.657Z"}, "descriptions": [{"lang": "en", "value": "pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.\\`. On Windows, backslashes are directory separators, enabling path traversal. This vulnerability is Windows-only. This issue impacts Windows pnpm users and Windows CI/CD pipelines (GitHub Actions Windows runners, Azure DevOps). It can lead to overwriting `.npmrc`, build configs, or other files. Version 10.28.1 contains a patch."}], "source": {"advisory": "GHSA-6x96-7vc8-cm3p", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23889", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T21:40:27.399595Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T21:40:31.773Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.\\`. On Windows, backslashes are directory separators, enabling path traversal. This vulnerability is Windows-only. This issue impacts Windows pnpm users and Windows CI/CD pipelines (GitHub Actions Windows runners, Azure DevOps). It can lead to overwriting `.npmrc`, build configs, or other files. Version 10.28.1 contains a patch."}], "id": "CVE-2026-23889", "lastModified": "2026-01-27T14:59:34.073", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-26T22:15:56.213", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0"}, {"source": "security-advisories@github.com", "url": "https://github.com/pnpm/pnpm/releases/tag/v10.28.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "pnpm: pnpm: Arbitrary file write via path traversal on Windows", "id": "2433093", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433093"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-22", "details": ["A flaw was found in pnpm, a package manager. This vulnerability, known as path traversal, allows a malicious package to write files to unintended locations on Windows systems during the extraction of compressed archives (tarballs). The issue arises because pnpm's path normalization process does not properly account for Windows-specific directory separators. This could enable an attacker to overwrite important configuration files, potentially leading to unauthorized code execution or system compromise."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-23889", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "org.keycloak-keycloak-parent", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "org.keycloak-keycloak-parent", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2026-01-26T21:50:55Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23889\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23889\nhttps://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0\nhttps://github.com/pnpm/pnpm/releases/tag/v10.28.1\nhttps://github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p"], "statement": "This vulnerability is rated Moderate. However, in the Red Hat context, the impact is limited as this path traversal vulnerability in pnpm's tarball extraction is specific to Windows operating systems. Red Hat products, including the affected Enterprise Application Platform components, primarily operate on Linux environments, where this specific attack vector is not applicable.", "threat_severity": "Moderate"}

{"created": "2026-01-27T09:03:16.368809+00:00", "updated": "2026-01-27T09:03:16.368842+00:00", "vendors": ["pnpm", "pnpm$PRODUCT$pnpm"]}