HomeCVE Intelligence › CVE-2026-50016
CVSS 8.8 HIGH Vulnerability

CVE-2026-50016: pnpm: Transitive dependency alias path traversal allows project path override via symlink…

Summary pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses that alias as a filesystem path when linking dependency nodes. As a re…

8.8CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-50016
Vendornpm
Affected Productpnpm
Vulnerability TypeVulnerability
CVSS Score8.8 (HIGH)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

#

Summary pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses that alias as a filesystem path when linking dependency nodes. As a result, a registry package can cause pnpm install - ignore-scripts to replace paths in the current project with symlinks to attacker-controlled dependency package directories. .git/hooks is only one useful target. The same primitive can replace other project-local paths that are consumed by later tools, for example: - .husky or .githooks for Git hook dispatchers

scripts/, tools/, bin/, or tests/ for project scripts and CI commands
.github/actions/ for local GitHub Actions used later in the workflow
dist/ or other publish/build output directories b

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-50016 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence