CVE-2026-42089

Source
https://cve.org/CVERecord?id=CVE-2026-42089
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42089.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-42089
Aliases
Published
2026-06-16T16:15:04.499Z
Modified
2026-07-08T08:13:49.133309547Z
Severity
  • 8.6 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation
Details

Yeoman Environment provides an API to discover, create, and run generators, and to configure where and how a generator is resolved. Versions 2.9.0 through 6.0.0 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation and code execution during CLI bootstrap. The vulnerable method is installLocalGenerators(), which calls repository.install() directly without prompting the user. This issue has been fixed in version 6.0.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42089.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-829"
    ]
}
References

Affected packages

Git / github.com/yeoman/environment

Affected ranges

Type
GIT
Repo
https://github.com/yeoman/environment
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "2.9.0"
        },
        {
            "fixed": "6.0.1"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

v2.*
v2.10.0
v2.10.1
v2.10.2
v2.10.3
v2.9.0
v2.9.1
v2.9.2
v2.9.3
v2.9.4
v2.9.5
v2.9.6
v3.*
v3.0.0
v3.0.0-beta.2
v3.0.0-beta.3
v3.0.0-rc.0
v3.0.0-rc.1
v3.0.1
v3.1.0
v3.10.0
v3.11.0
v3.11.1
v3.12.0
v3.12.1
v3.13.0
v3.14.0
v3.14.1
v3.15.0
v3.15.1
v3.2.0
v3.3.0
v3.4.0
v3.4.1
v3.5.0
v3.5.1
v3.6.0
v3.7.0
v3.8.0
v3.8.1
v3.9.0
v3.9.1
v4.*
v4.0.0
v4.0.0-alpha.0
v4.0.0-alpha.1
v4.0.0-alpha.2
v4.0.0-alpha.3
v4.0.0-alpha.4
v4.0.0-alpha.5
v4.0.0-alpha.6
v4.0.0-alpha.7
v4.0.0-alpha.8
v4.0.0-beta.0
v4.0.0-beta.1
v4.0.0-beta.2
v4.0.0-beta.3
v4.0.0-beta.4
v4.0.0-beta.5
v4.0.0-beta.6
v4.0.0-rc.0
v4.1.0
v4.1.1
v4.1.2
v4.1.3
v4.2.0
v4.2.1
v4.3.0
v4.4.0
v4.4.1
v4.4.2
v4.4.3
v5.*
v5.0.0
v5.0.0-beta.0
v5.0.0-beta.1
v5.0.0-beta.2
v5.1.0
v5.1.1
v5.1.2
v5.1.3
v6.*
v6.0.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42089.json"