HomeCVE Intelligence › CVE-2026-55697
CVSS 7.5 HIGH Vulnerability

CVE-2026-55697: pnpm: Repository-controlled configDependencies can select a pacquet native install engine

Maintainer Action Plan This report is ready to review with the shared patch branch. Start with the PR and the expected fixed behavior, then use the detailed exploit narrative below only if you want to replay the origina…

7.5CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-55697
Vendornpm
Affected Productpnpm
Vulnerability TypeVulnerability
CVSS Score7.5 (HIGH)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

#

Maintainer Action Plan This report is ready to review with the shared patch branch. Start with the PR and the expected fixed behavior, then use the detailed exploit narrative below only if you want to replay the original path. - Advisory: CAND-PNPM-097 / GHSA-gj8w-mvpf-x27x

• Advisory URL: https://github.com/pnpm/pnpm/security/advisories/GHSA-gj8w-mvpf-x27x
• Shared patch PR: https://github.com/pnpm/pnpm-ghsa-j2hc-m6cf-6jm8/pull/1
• Shared patch branch: security/ghsa-batch-2026-06-09
• Patch commit: a93449314f398cf4bdf2e28d033c02d37395ad22
• Base commit: origin/main 55a4035abf1ae3fe7208ba1f5ef43c5eff58ccec
• Maintainer priority: start-here
• Component: pnpm configDependencies / pacquet delegation
• Patch area: pacquet/configDependency lifecycle execution is not used as i

🎯 Known Indicators of Compromise

{"type":"sha1","value":"a93449314f398cf4bdf2e28d033c02d37395ad22","confidence_score":0.9,"first_seen":"2026-06-26","source_count":1} {"type":"sha1","value":"55a4035abf1ae3fe7208ba1f5ef43c5eff58ccec","confidence_score":0.9,"first_seen":"2026-06-26","source_count":1} {"type":"url","value":"https://github.com/pnpm/pnpm/security/advisories/GHSA-gj8w-mvpf-x27x","confidence_score":0.82,"first_seen":"2026-06-26","source_count":1} {"type":"url","value":"https://github.com/pnpm/pnpm-ghsa-j2hc-m6cf-6jm8/pull/1","confidence_score":0.82,"first_seen":"2026-06-26","source_count":1}

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-55697 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence