Pnpm: Thirteen Vulnerabilities Disclosed Together, Posing Risks of ACE and Supply Chain Compromise
Key findings • Thirteen vulnerabilities disclosed for pnpm on June 25, 2026, including ACE, info disclosure, and supply chain risks. • Multiple CVEs detail arbitrary code execution via path t…

Key findings
- Thirteen vulnerabilities disclosed for pnpm on June 25, 2026, including ACE, info disclosure, and supply chain risks.
- Multiple CVEs detail arbitrary code execution via path traversal, malicious lockfiles, and improper file handling.
- Supply chain compromise is a key concern, with vulnerabilities related to unverified dependencies and manipulated package sources.
- Information disclosure risks include environment secrets and authentication credentials via malicious configurations.
- Users should consult pnpm advisories and update promptly to mitigate these diverse security threats.
On June 25, 2026, a batch of thirteen vulnerabilities was disclosed for the pnpm package manager, spanning various security risks including arbitrary code execution, information disclosure, and supply chain compromise. These vulnerabilities were all disclosed on the same day, indicating a coordinated disclosure event that impacts users relying on pnpm for their project dependencies. The sheer number and variety of issues highlight potential weaknesses in dependency verification, file handling, and configuration management within the pnpm ecosystem.
Several vulnerabilities center around the potential for arbitrary code execution (ACE). CVE-2026-50016 and CVE-2026-55698, both rated as "important," detail ACE risks stemming from path traversal in dependency aliases and malicious package-manager lockfiles, respectively. Additionally, CVE-2026-50015, also rated "important," allows for arbitrary file writes or deletions due to a lack of path validation in patch files. CVE-2026-55700 and CVE-2026-55697, rated "important" and "important" respectively, enable unauthorized file modification via crafted package manifests and ACE through improper handling of config dependencies. CVE-2026-50014, a moderate severity vulnerability, also presents an ACE risk via a malicious lockfile.
Supply chain security is another significant theme within this batch. CVE-2026-48995 and CVE-2026-55487, both rated "important," address supply chain compromises arising from unverified dependencies and manipulated package source strings, respectively. Furthermore, CVE-2026-50573 and CVE-2026-50021, both rated moderate, indicate that package integrity checks can be bypassed, potentially allowing the installation of malicious or altered content through manipulated lockfiles.
Information disclosure vulnerabilities were also present. CVE-2026-55180, a moderate severity issue, allows for the disclosure of environment secrets through improper environment variable expansion in both pnpm and pacquet. Similarly, CVE-2026-50017, another moderate severity vulnerability, permits the disclosure of authentication credentials via malicious .npmrc files. Finally, CVE-2026-55699, a moderate severity vulnerability, could lead to a denial of service due to improper handling of malicious package manifest bin keys.
The coordinated disclosure of these thirteen vulnerabilities on June 25, 2026, underscores the importance of timely patching and security diligence for pnpm users. While specific version information for fixes was not detailed in the provided data, users are strongly advised to consult official pnpm advisories and update to the latest available versions to mitigate these risks. The breadth of issues, from code execution to supply chain attacks, necessitates a thorough review of dependency management practices and configurations.
This batch of vulnerabilities serves as a critical reminder for developers and organizations to remain vigilant about the security of their software supply chains and the integrity of the tools they rely on for package management. Staying informed about disclosed vulnerabilities and applying patches promptly are essential steps in maintaining a secure development environment. The interconnected nature of modern development means that a single compromised tool can have far-reaching consequences.