CVE-2026-55697
Published: 25 June 2026
Summary
CVE-2026-55697 is a high-severity OS Command Injection (CWE-78) vulnerability in Pnpm Pnpm. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked at the 2.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-39483
Vulnerability details
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can install configDependencies declared in pnpm-workspace.yaml before command dispatch. Before the patch, a repository could declare pacquet or @pnpm/pacquet as a config dependency and pnpm treated that repository-controlled dependency…
more
as an install-engine opt-in. During install, pnpm resolved a platform-specific @pacquet/<platform>-<arch>/pacquet binary from node_modules/.pnpm-config/<packageName> and spawned it as the developer or CI user. This vulnerability is fixed in 10.34.2 and 11.5.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln enables repo-controlled malicious configDependency to be fetched+executed during pnpm install (CWE-829/494/78), directly mapping to compromise of software dependencies.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Enforcing installation policies prevents users from including functionality obtained from untrusted control spheres.
Strategy mandates assessment of third-party components and suppliers, directly reducing inclusion of functionality from untrusted control spheres.
Supply chain protection requires integrity verification of acquired components, directly reducing insertion or tampering of malicious code during delivery.
Limits inclusion of functionality from untrusted sources through supply-chain and component trustworthiness evaluation before integration.
Component authenticity requires verifying origin/integrity of acquired firmware or software, directly preventing inclusion of code without integrity checks.
Allocation of supply-chain risk management responsibilities and vetting of the development/operational environment reduce inclusion of functionality from untrusted control spheres.
Authorizing and controlling mobile code requires verifying origin and integrity before download/execution, directly preventing this weakness.
Proactive network scanning for malicious code directly detects and blocks downloads that lack integrity verification.