HomeCVE Intelligence › CVE-2026-55698
CVSS 8.8 HIGH Vulnerability

CVE-2026-55698: pnpm: Project env lockfile can short-circuit package-manager resolution and execute lockf…

Maintainer Action Plan This report is ready to review with the shared patch branch. Start with the PR and the expected fixed behavior, then use the detailed exploit narrative below only if you want to replay the origina…

8.8CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-55698
Vendornpm
Affected Productpnpm
Vulnerability TypeVulnerability
CVSS Score8.8 (HIGH)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

#

Maintainer Action Plan This report is ready to review with the shared patch branch. Start with the PR and the expected fixed behavior, then use the detailed exploit narrative below only if you want to replay the original path. - Advisory: CAND-PNPM-063 / GHSA-w466-c33r-3gjp

• Advisory URL: https://github.com/pnpm/pnpm/security/advisories/GHSA-w466-c33r-3gjp
• Shared patch PR: https://github.com/pnpm/pnpm-ghsa-j2hc-m6cf-6jm8/pull/1
• Shared patch branch: security/ghsa-batch-2026-06-09
• Patch commit: a93449314f398cf4bdf2e28d033c02d37395ad22
• Base commit: origin/main 55a4035abf1ae3fe7208ba1f5ef43c5eff58ccec
• Maintainer priority: start-here
• Component: pnpm packageManager env lockfile
• Patch area: package-manager env lockfile is re-resolved through trusted registries be

🎯 Known Indicators of Compromise

{"type":"sha1","value":"a93449314f398cf4bdf2e28d033c02d37395ad22","confidence_score":0.9,"first_seen":"2026-06-27","source_count":1} {"type":"sha1","value":"55a4035abf1ae3fe7208ba1f5ef43c5eff58ccec","confidence_score":0.9,"first_seen":"2026-06-27","source_count":1} {"type":"url","value":"https://github.com/pnpm/pnpm/security/advisories/GHSA-w466-c33r-3gjp","confidence_score":0.82,"first_seen":"2026-06-27","source_count":1} {"type":"url","value":"https://github.com/pnpm/pnpm-ghsa-j2hc-m6cf-6jm8/pull/1","confidence_score":0.82,"first_seen":"2026-06-27","source_count":1}

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-55698 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence