HomeCVE Intelligence › CVE-2026-55700
CVSS 7.1 HIGH Vulnerability

CVE-2026-55700: pnpm: `stage download` writes outside its destination directory via manifest name/version…

Summary The staged-tarball filename traversal reported as GHSA-v23m-ccfg-pq9h / CAND-PNPM-038 is fixed on main by [pnpm/pnpm#12303](https://github.com/pnpm/pnpm/pull/12303), merged as 65443f4bdf1f0db9c8c7dc58fee25252607…

7.1CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-55700
Vendornpm
Affected Productpnpm
Vulnerability TypeVulnerability
CVSS Score7.1 (HIGH)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

#

Summary The staged-tarball filename traversal reported as GHSA-v23m-ccfg-pq9h / CAND-PNPM-038 is fixed on main by [pnpm/pnpm#12303](https://github.com/pnpm/pnpm/pull/12303), merged as 65443f4bdf1f0db9c8c7dc58fee25252607e9234. Before the fix, pnpm stage download derived a local filename from registry-controlled package name and version fields. A crafted manifest could escape the selected download directory and overwrite another reachable file. The merged fix validates both fields, derives one safe filename, and verifies the final destination before writing.

Security boundary - Package names and semantic versions are validated before they can influence a local filename.

• POSIX and Windows path separators are rejected by basename checks.
• Stage download and tarball summary paths

🎯 Known Indicators of Compromise

{"type":"sha1","value":"65443f4bdf1f0db9c8c7dc58fee25252607e9234","confidence_score":0.9,"first_seen":"2026-06-27","source_count":1} {"type":"url","value":"https://github.com/pnpm/pnpm/pull/12303),","confidence_score":0.82,"first_seen":"2026-06-27","source_count":1}

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-55700 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence