Cyber Resilience

CVE-2026-50016

HighPublic PoC

Published: 25 June 2026

Published
25 June 2026
Modified
29 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0033 24.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-50016 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Pnpm Pnpm. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked at the 24.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses that alias as a filesystem path when linking dependency nodes.…

more

As a result, a registry package can cause `pnpm install --ignore-scripts` to replace paths in the current project with symlinks to attacker-controlled dependency package directories. This vulnerability is fixed in 10.34.0 and 11.4.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1195.002 Compromise Software Supply Chain Initial Access
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.
Why these techniques?

Vulnerability in package manager allows malicious registry packages to perform path traversal and symlink replacement during install, directly enabling supply chain compromise via compromised dependencies.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

pnpm
pnpm
≤ 10.34.0 · 11.0.0 — 11.4.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References