CVE-2026-23889
- Source
- https://cve.org/CVERecord?id=CVE-2026-23889
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23889.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-23889
- Aliases
- Downstream
- Published
- 2026-01-26T21:50:55.289Z
- Modified
- 2026-04-10T05:39:17.396050Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- pnpm has Windows-specific tarball Path Traversal
- Details
-
pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for
./but not.\. On Windows, backslashes are directory separators, enabling path traversal. This vulnerability is Windows-only. This issue impacts Windows pnpm users and Windows CI/CD pipelines (GitHub Actions Windows runners, Azure DevOps). It can lead to overwriting.npmrc, build configs, or other files. Version 10.28.1 contains a patch. - Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-22" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23889.json" }- References
-
- https://github.com/pnpm/pnpm/releases/tag/v10.28.1
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23889.json
- https://github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p
- https://nvd.nist.gov/vuln/detail/CVE-2026-23889
- https://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0
Affected packages
Git / github.com/pnpm/pnpm
Affected ranges
- Type
- GIT
- Repo
- https://github.com/pnpm/pnpm
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
0.*
0.19.0
@pnpm/headless@0.*
@pnpm/headless@0.6.2
@pnpm/utils@0.*
@pnpm/utils@0.6.1
config/1.*
config/1.0.0
config/1.1.0
config/1.2.0
config/1.2.1
config/1.2.2
config/1.2.3
config/1.2.4
config/1.2.5
config/1.2.6
config/1.2.7
config/1.3.0
config/1.3.1
config/2.*
config/2.0.0
config/2.0.1
config/2.1.0
config/2.1.1
config/2.2.0
core-loggers/0.*
core-loggers/0.0.0
default-fetcher/2.*
default-fetcher/2.0.1
default-fetcher/2.0.2
default-reporter/0.*
default-reporter/0.17.0
default-resolver/2.*
default-resolver/2.0.2
default-resolver/2.0.3
default-resolver/2.0.4
headless/0.*
headless/0.4.0
headless/0.5.0
headless/0.5.1
headless/0.5.2
headless/0.5.3
headless/0.5.4
headless/0.6.0
headless/0.6.1
headless/0.6.3
headless/0.6.4
headless/0.6.5
headless/0.6.7
headless@0.*
headless@0.6.6
package-requester/4.*
package-requester/4.1.0
package-requester/4.1.2
package-requester/4.1.3
package-requester/4.1.4
package-requester@4.*
package-requester@4.1.1
package-store/0.*
package-store/0.23.2
package-store/0.23.3
package-store/0.23.4
pnpm-default-reporter/0.*
pnpm-default-reporter/0.17.1
pnpm-default-reporter/0.17.2
pnpm-default-reporter/0.17.3
pnpm-default-reporter/0.17.4
pnpm-default-reporter/0.17.5
pnpm-default-reporter/0.17.6
pnpm-default-reporter/0.17.7
pnpm-default-reporter/0.17.8
pnpm-default-reporter/0.18.0
pnpm-default-reporter/0.19.0
pnpm-default-reporter/0.19.1
pnpm-default-reporter/0.19.2
pnpm-default-reporter/0.20.0
pnpm-default-reporter/0.20.2
pnpm-default-reporter/0.20.3
pnpm-default-reporter/0.20.4
pnpm-default-reporter/0.20.5
pnpm-default-reporter@0.*
pnpm-default-reporter@0.20.1
server/0.*
server/0.14.1
server/0.14.2
server/0.14.3
supi/0.*
supi/0.19.1
supi/0.19.2
supi/0.19.3
supi/0.20.0
supi/0.20.1
supi/0.20.2
supi/0.20.3
supi/0.20.4
supi/0.20.5
supi/0.20.6
supi/0.20.7
supi/0.20.8
supi/0.21.0
supi/0.21.1
supi/0.22.0
supi/0.22.1
supi/0.22.2
supi/0.23.0
supi/0.23.1
supi/0.24.0
supi/0.24.10
supi/0.24.2
supi/0.24.3
supi/0.24.4
supi/0.24.5
supi/0.24.6
supi/0.24.7
supi/0.24.8
supi@0.*
supi@0.24.1
supi@0.24.9
utils/0.*
utils/0.1.0
utils/0.2.0
utils/0.2.1
utils/0.3.0
utils/0.4.0
utils/0.5.0
utils/0.5.1
utils/0.6.0
utils/0.6.2
utils/0.6.3
utils/0.6.4
utils/0.8.0
utils@0.*
utils@0.7.0
v0.*
v0.1.0
v0.10.0
v0.10.1
v0.11.0
v0.11.1
v0.12.0
v0.13.0
v0.14.0
v0.15.0
v0.16.0
v0.17.0
v0.18.0
v0.2.0
v0.2.1
v0.2.2
v0.20.0
v0.21.0
v0.22.1
v0.23.0
v0.24.0
v0.25.0
v0.26.1
v0.26.2
v0.27.0
v0.28.0
v0.29.0
v0.29.1
v0.3.0
v0.30.0
v0.31.0
v0.31.1
v0.31.2
v0.32.0
v0.32.1
v0.33.0
v0.34.0
v0.35.0
v0.36.0
v0.37.0
v0.38.0
v0.38.1
v0.38.2
v0.39.0
v0.39.1
v0.4.0
v0.4.1
v0.40.0
v0.41.0
v0.42.0
v0.42.1
v0.42.2
v0.42.3
v0.42.4
v0.42.5
v0.42.6
v0.43.0
v0.43.1
v0.43.2
v0.44.0
v0.44.1
v0.45.0
v0.45.1
v0.46.0
v0.47.0
v0.47.1
v0.48.0
v0.48.1
v0.49.0
v0.49.1
v0.49.2
v0.5.0
v0.50.0
v0.51.0
v0.51.1
v0.51.2
v0.51.3
v0.52.0
v0.52.1
v0.53.0
v0.54.0
v0.54.1
v0.55.0
v0.55.1
v0.55.2
v0.55.3
v0.56.0
v0.57.0
v0.57.1
v0.57.2
v0.58.0
v0.59.0
v0.6.1
v0.60.0
v0.60.1
v0.60.2
v0.60.3
v0.61.0
v0.62.0
v0.62.1
v0.62.2
v0.63.0
v0.64.0
v0.64.1
v0.64.2
v0.64.3
v0.64.4
v0.64.5
v0.64.6
v0.64.7
v0.64.8
v0.65.0
v0.65.1
v0.65.2
v0.65.3
v0.65.4
v0.65.5
v0.65.6
v0.65.7
v0.66.0
v0.66.1
v0.66.2
v0.66.3
v0.66.4
v0.67.0
v0.67.1
v0.67.2
v0.67.3
v0.68.0
v0.69.0
v0.69.0-beta.1
v0.69.0-beta.2
v0.69.0-beta.3
v0.69.0-beta.4
v0.69.1
v0.69.2
v0.69.3
v0.69.4
v0.7.0
v0.70.0
v0.70.0-beta.1
v0.70.0-beta.2
v0.70.1
v0.71.0
v0.71.1
v0.72.0
v0.73.0
v0.73.1
v0.73.2
v0.73.3
v0.74.0
v0.74.1
v0.74.2
v0.74.3
v0.74.4
v0.75.0
v0.8.0
v0.8.1
v0.8.2
v0.9.0
Other
v1
v1.*
v1.0.0
v1.0.1
v1.1.0
v1.10.0
v1.10.1
v1.10.2
v1.11.0
v1.11.1
v1.12.0
v1.13.0
v1.13.1
v1.13.2
v1.14.0
v1.14.10
v1.14.2
v1.14.3
v1.14.4
v1.14.5
v1.14.6
v1.14.7
v1.14.8
v1.14.9
v1.15.0
v1.16.0
v1.16.2
v1.16.3
v1.17.0
v1.17.1
v1.17.2
v1.18.0
v1.18.1
v1.19.0
v1.19.1
v1.19.2
v1.19.3
v1.19.4
v1.19.5
v1.19.6
v1.19.7
v1.2.0
v1.20.0
v1.21.0
v1.22.0
v1.23.0
v1.23.1
v1.23.2
v1.24.0
v1.24.0-2
v1.24.0-3
v1.24.1
v1.24.2
v1.24.3
v1.25.0
v1.25.1
v1.26.0
v1.27.0
v1.27.0-0
v1.27.0-1
v1.28.0
v1.29.1
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.3.4
v1.30.0
v1.30.1
v1.30.2
v1.31.0
v1.31.1
v1.31.2
v1.31.3
v1.31.4
v1.31.5
v1.31.6
v1.32.0
v1.32.1
v1.33.0
v1.33.1
v1.33.2
v1.34.0
v1.35.0
v1.35.1
v1.35.10
v1.35.2
v1.35.3
v1.35.4
v1.35.5
v1.35.6
v1.35.7
v1.35.8
v1.35.9
v1.36.0
v1.36.1
v1.36.2
v1.37.0
v1.37.1
v1.37.2
v1.37.3
v1.37.5
v1.38.0
v1.38.2
v1.38.3
v1.39.0
v1.39.1
v1.4.0
v1.40.0
v1.40.1
v1.40.2
v1.41.0
v1.41.1
v1.41.2
v1.41.3
v1.42.0
v1.43.0
v1.43.1
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.6.0
v1.6.1
v1.7.0
v1.7.1
v1.8.0
v1.8.1
v1.8.2
v1.9.0
v10.*
v10.0.0
v10.0.0-alpha.0
v10.0.0-alpha.1
v10.0.0-alpha.2
v10.0.0-alpha.3
v10.0.0-alpha.4
v10.0.0-beta.0
v10.0.0-beta.1
v10.0.0-beta.2
v10.0.0-beta.3
v10.0.0-rc.0
v10.0.0-rc.1
v10.0.0-rc.2
v10.0.0-rc.3
v10.1.0
v10.10.0
v10.11.0
v10.12.1
v10.12.2
v10.12.3
v10.12.4
v10.13.0
v10.13.1
v10.14.0
v10.14.0-0
v10.15.0
v10.15.1
v10.16.0
v10.16.1
v10.17.0
v10.17.1
v10.18.0
v10.18.1
v10.18.2
v10.18.3
v10.19.0
v10.19.1-oidc-test.0
v10.19.1-oidc-test.1
v10.19.1-oidc-test.2
v10.19.1-oidc-test.3
v10.2.0
v10.2.1
v10.20.0
v10.21.0
v10.22.0
v10.23.0
v10.24.0
v10.25.0
v10.26.0
v10.26.1
v10.26.2
v10.27.0
v10.28.0
v10.3.0
v10.4.0
v10.4.1
v10.5.0
v10.5.1
v10.5.2
v10.6.0
v10.6.1
v10.6.2
v10.7.0
v10.8.0
v10.8.1
v10.9.0
v2.*
v2.0.0
v2.0.0-rc.0
v2.1.0
v2.10.0
v2.10.1
v2.10.2
v2.10.3
v2.10.4
v2.11.0
v2.12.0
v2.12.0-0
v2.12.0-1
v2.12.1
v2.13.0
v2.13.1
v2.13.3
v2.14.0
v2.14.0-0
v2.14.0-1
v2.14.1
v2.14.2
v2.14.3
v2.14.4
v2.14.5
v2.15.0
v2.15.1
v2.15.2
v2.16.0
v2.16.1
v2.17.0
v2.17.0-0
v2.17.0-1
v2.17.0-2
v2.17.0-3
v2.17.0-4
v2.17.0-5
v2.17.1
v2.17.2
v2.17.3
v2.17.4
v2.17.5
v2.17.6
v2.17.7
v2.17.8
v2.18.0
v2.18.2
v2.19.0
v2.19.0-0
v2.19.0-1
v2.19.0-2
v2.19.1
v2.19.2
v2.19.3
v2.19.4
v2.2.0
v2.2.1
v2.2.2
v2.20.0
v2.20.1
v2.21.0
v2.21.1
v2.22.0
v2.22.0-0
v2.23.0
v2.23.0-0
v2.23.1
v2.24.0
v2.24.0-0
v2.24.1
v2.24.2
v2.25.0
v2.25.0-0
v2.25.0-1
v2.25.1
v2.25.2
v2.25.3
v2.25.4
v2.3.0
v2.3.1
v2.4.0
v2.5.0
v2.6.0
v2.6.1
v2.6.2
v2.7.0
v2.8.0
v2.9.0
v3.*
v3.0.0
v3.0.0-alpha.0
v3.0.0-alpha.1
v3.0.0-alpha.2
v3.0.0-alpha.3
v3.0.0-beta.0
v3.0.0-beta.2
v3.0.1
v3.1.0
v3.1.0-0
v3.1.0-1
v3.1.1
v3.2.0
v3.2.0-0
v3.2.0-1
v3.3.0
v3.3.0-0
v3.3.0-1
v3.3.0-2
v3.3.1
v3.3.2
v3.3.3
v3.3.4
v3.4.0
v3.4.0-0
v3.4.1
v3.5.0
v3.5.0-0
v3.5.0-1
v3.5.0-2
v3.5.0-3
v3.5.1
v3.5.2
v3.5.3
v3.5.5
v3.5.6
v3.5.7
v3.6.0
v3.6.0-0
v3.6.1
v3.6.2
v3.7.0
v3.7.0-0
v3.7.0-1
v3.7.0-2
v3.7.0-3
v3.7.0-4
v3.7.0-5
v3.7.1
v3.7.2
v3.7.3
v3.7.4
v3.7.5
v3.8.0
v3.8.0-0
v3.8.0-1
v3.8.1
v4.*
v4.0.0
v4.0.0-0
v4.0.0-1
v4.0.0-2
v4.0.0-3
v4.0.0-4
v4.0.0-5
v4.0.0-6
v4.0.0-7
v4.0.0-8
v4.0.1
v4.1.0
v4.1.1
v4.1.2
v4.1.3
v4.1.4
v4.1.5
v4.1.6
v4.10.0
v4.10.0-0
v4.10.0-1
v4.10.0-2
v4.10.0-3
v4.11.0
v4.11.1
v4.11.2
v4.11.3
v4.11.4
v4.12.0
v4.12.0-0
v4.12.0-1
v4.12.1
v4.12.2
v4.12.3
v4.12.4
v4.12.5
v4.13.0
v4.13.0-0
v4.13.0-1
v4.14.0
v4.14.0-0
v4.14.0-1
v4.14.0-2
v4.14.1
v4.2.0
v4.2.0-0
v4.2.2
v4.2.3
v4.3.0
v4.3.0-0
v4.3.1
v4.4.0
v4.4.0-0
v4.4.0-1
v4.4.0-2
v4.5.0
v4.5.0-0
v4.5.0-1
v4.5.0-6
v4.6.0
v4.6.0-0
v4.6.0-1
v4.7.0
v4.7.0-1
v4.7.1
v4.7.2
v4.8.0
v4.8.0-0
v4.8.0-1
v4.9.0
v4.9.0-0
v4.9.0-1
v4.9.0-2
v4.9.0-3
v4.9.0-4
v4.9.1
v4.9.2
v4.9.3
v5.*
v5.0.0
v5.0.0-0
v5.0.0-1
v5.0.0-alpha.2
v5.0.0-alpha.3
v5.0.0-alpha.4
v5.0.0-alpha.5
v5.0.0-alpha.6
v5.0.0-alpha.7
v5.0.0-rc.0
v5.0.0-rc.1
v5.0.0-rc.2
v5.0.0-rc.3
v5.0.0-rc.4
v5.0.0-rc.5
v5.0.1
v5.0.2
v5.1.0
v5.1.1
v5.1.2
v5.1.3
v5.1.4
v5.1.5
v5.1.6
v5.1.7
v5.1.8
v5.10.0
v5.10.0-0
v5.10.1
v5.10.2
v5.10.3
v5.10.4
v5.11.0
v5.11.1
v5.12.0
v5.13.0
v5.13.1
v5.13.2
v5.13.3
v5.13.4
v5.13.5
v5.13.6
v5.13.7
v5.14.0
v5.14.1
v5.14.2
v5.14.3
v5.15.0
v5.15.1
v5.15.2
v5.15.3
v5.16.0
v5.16.0-0
v5.16.0-1
v5.16.0-2
v5.16.1
v5.17.0
v5.17.1
v5.17.2
v5.17.3
v5.18.0
v5.18.1
v5.2.0
v5.2.0-0
v5.2.1
v5.2.2
v5.2.3
v5.2.4
v5.2.5
v5.2.6
v5.2.8
v5.2.9
v5.3.0
v5.4.0
v5.4.1
v5.4.10
v5.4.11
v5.4.12
v5.4.2
v5.4.3
v5.4.4
v5.4.5
v5.4.6
v5.4.7
v5.4.8
v5.4.9
v5.5.0
v5.5.1
v5.5.10
v5.5.11
v5.5.12
v5.5.13
v5.5.2
v5.5.3
v5.5.4
v5.5.5
v5.5.6
v5.5.7
v5.5.8
v5.5.9
v5.6.0
v5.6.0-0
v5.6.1
v5.7.0
v5.7.0-0
v5.8.0
v5.8.0-0
v5.9.0
v5.9.0-0
v5.9.0-1
v5.9.0-2
v5.9.2
v5.9.3
v6.*
v6.0.0
v6.0.0-alpha.3
v6.0.0-alpha.4
v6.0.0-alpha.5
v6.0.0-alpha.6
v6.0.0-beta.0
v6.0.0-beta.1
v6.0.0-rc.0
v6.0.0-rc.1
v6.0.1
v6.0.2
v6.1.0
v6.10.0
v6.10.0-0
v6.10.0-1
v6.10.1
v6.10.2
v6.11.0
v6.11.0-0
v6.11.1
v6.11.2
v6.11.5
v6.12.0
v6.12.0-0
v6.12.0-1
v6.12.0-2
v6.12.1
v6.13.0
v6.13.0-0
v6.14.0
v6.14.0-0
v6.14.0-3
v6.14.1
v6.14.2
v6.14.3
v6.14.4
v6.14.4-0
v6.14.4-1
v6.14.5
v6.14.6
v6.14.7
v6.15.0
v6.15.1
v6.15.2
v6.16.0
v6.16.1
v6.17.0
v6.17.1
v6.17.2
v6.18.0
v6.19.0
v6.19.1
v6.2.0
v6.2.1
v6.2.2
v6.2.3
v6.2.4
v6.2.5
v6.20.0
v6.20.1
v6.20.2
v6.20.3
v6.20.4
v6.21.0
v6.21.1
v6.22.0
v6.22.1
v6.22.2
v6.23.0
v6.23.1
v6.23.2
v6.23.3
v6.23.4
v6.23.5
v6.23.6
v6.24.0
v6.24.0-0
v6.24.0-1
v6.24.1
v6.24.2
v6.24.3
v6.24.4
v6.25.0
v6.25.0-0
v6.25.0-1
v6.25.0-2
v6.25.0-3
v6.25.1
v6.26.0
v6.26.1
v6.27.0
v6.3.0
v6.4.0
v6.5.0
v6.6.0
v6.6.1
v6.6.2
v6.7.0
v6.7.1
v6.7.2
v6.7.3
v6.7.4
v6.7.5
v6.7.6
v6.8.0
v6.9.0
v6.9.1
v7.*
v7.0.0
v7.0.0-alpha.0
v7.0.0-alpha.1
v7.0.0-alpha.2
v7.0.0-alpha.3
v7.0.0-alpha.4
v7.0.0-beta.0
v7.0.0-beta.1
v7.0.0-beta.2
v7.0.0-rc.0
v7.0.0-rc.1
v7.0.0-rc.2
v7.0.0-rc.3
v7.0.0-rc.4
v7.0.0-rc.5
v7.0.0-rc.6
v7.0.0-rc.7
v7.0.0-rc.8
v7.0.0-rc.9
v7.0.1
v7.1.0
v7.1.1
v7.1.2
v7.1.3
v7.1.4
v7.1.5
v7.1.6
v7.1.7
v7.1.8
v7.1.9
v7.10.0
v7.10.0-0
v7.10.0-1
v7.11.0
v7.11.1-0
v7.12.0
v7.12.0-0
v7.12.1
v7.12.2
v7.13.0
v7.13.1
v7.13.2
v7.13.3
v7.13.4
v7.13.5
v7.13.6
v7.14.0
v7.14.1
v7.14.2
v7.15.0
v7.16.0
v7.16.1
v7.17.0
v7.17.1
v7.18.0
v7.18.1
v7.18.2
v7.19.0
v7.2.0
v7.2.1
v7.20.0
v7.21.0
v7.22.0
v7.23.0
v7.24.0
v7.24.1
v7.24.2
v7.24.3
v7.25.0
v7.25.1
v7.26.0
v7.26.1
v7.26.2
v7.26.3
v7.27.0
v7.27.0-0
v7.27.1
v7.28.0
v7.28.0-0
v7.29.0
v7.29.0-0
v7.29.0-1
v7.29.0-2
v7.29.1
v7.29.2
v7.29.3
v7.3.0
v7.30.0
v7.30.0-0
v7.4.0
v7.4.0-0
v7.4.0-1
v7.4.0-2
v7.4.0-3
v7.4.0-4
v7.4.1
v7.5.0
v7.5.1
v7.5.2
v7.6.0
v7.6.0-0
v7.7.0
v7.7.0-0
v7.7.0-1
v7.7.1
v7.8.0
v7.9.0
v7.9.0-0
v7.9.1
v7.9.2
v7.9.3
v7.9.4
v7.9.4-0
v7.9.5
v8.*
v8.0.0
v8.0.0-beta.1
v8.0.0-rc.0
v8.0.0-rc.1
v8.1.0
v8.1.1
v8.10.0
v8.10.0-0
v8.10.1
v8.10.2
v8.10.3
v8.10.4
v8.10.5
v8.11.0
v8.12.0
v8.12.1
v8.13.1
v8.14.0
v8.2.0
v8.3.0
v8.3.0-0
v8.3.1
v8.4.0
v8.5.0
v8.5.1
v8.6.0
v8.6.1
v8.6.10
v8.6.11
v8.6.12
v8.6.2
v8.6.3
v8.6.4
v8.6.5
v8.6.6
v8.6.7
v8.6.8
v8.6.9
v8.7.0
v8.7.0-0
v8.7.1
v8.7.2
v8.7.3
v8.7.4
v8.7.5
v8.7.6
v8.8.0
v8.9.0
v8.9.0-0
v8.9.0-1
v8.9.1
v8.9.2
v9.*
v9.0.0
v9.0.0-alpha.0
v9.0.0-alpha.1
v9.0.0-alpha.10
v9.0.0-alpha.2
v9.0.0-alpha.3
v9.0.0-alpha.4
v9.0.0-alpha.5
v9.0.0-alpha.6
v9.0.0-alpha.7
v9.0.0-alpha.8
v9.0.0-alpha.9
v9.0.0-beta.0
v9.0.0-beta.1
v9.0.0-beta.2
v9.0.0-beta.3
v9.0.0-rc.0
v9.0.0-rc.1
v9.0.0-rc.2
v9.0.1
v9.0.2
v9.0.3
v9.0.4
v9.0.5
v9.0.6
v9.1.0
v9.1.0-0
v9.1.1
v9.1.2
v9.1.3
v9.1.4
v9.10.0
v9.11.0
v9.12.0
v9.12.1
v9.12.2
v9.12.3
v9.2.0
v9.3.0
v9.4.0
v9.5.0
v9.5.0-beta.0
v9.5.0-beta.1
v9.5.0-beta.2
v9.5.0-beta.3
v9.6.0
v9.7.0
v9.7.1
v9.8.0
v9.9.0