Cyber Resilience

CVE-2026-55487

HighPublic PoC

Published: 25 June 2026

Published
25 June 2026
Modified
29 June 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0012 2.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-55487 is a high-severity Origin Validation Error (CWE-346) vulnerability in Pnpm Pnpm. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked at the 2.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

pnpm is a package manager. Prior to 10.34.2 and 11.5.3, the generic peer-suffix normalizer also stripped parenthesized text from git, URL, tarball, file, and other opaque locators. Approval for one source string could therefore authorize a different attacker-controlled source whose…

more

locator normalized to the same value. This vulnerability is fixed in 10.34.2 and 11.5.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1195.001 Compromise Software Dependencies and Development Tools Initial Access
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise.
T1195.002 Compromise Software Supply Chain Initial Access
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.
Why these techniques?

Improper locator normalization in package manager enables substitution of attacker-controlled dependencies during approval.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

pnpm
pnpm
≤ 10.34.2 · 11.0.0 — 11.5.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-693 CWE-829

Diverse technology stacks ensure a single protection mechanism failure (or exploit) does not cascade across all components.

addresses: CWE-693

Implements a reliable, tamperproof protection mechanism whose completeness can be assured.

addresses: CWE-693

Procedures for training on protection mechanisms reduce the chance of protection mechanism failures being present or exploitable.

addresses: CWE-693

Documented procedures to implement assessment, authorization, and monitoring controls prevent these protection mechanisms from failing due to undefined processes.

addresses: CWE-693

Direct evaluation of whether controls produce desired security outcomes detects protection mechanism failures and enables remediation.

addresses: CWE-693

Requires assessment that protection mechanisms are correctly implemented and producing intended security outcomes.

addresses: CWE-693

The POA&M process ensures identified weaknesses in protection mechanisms are documented and scheduled for remediation, reducing the duration they remain exploitable.

addresses: CWE-693

Ongoing control assessments and analysis of monitoring data enable timely detection and response when protection mechanisms fail.

References