Cyber Resilience

CVE-2026-55697

HighPublic PoCRCE

Published: 25 June 2026

Published
25 June 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0013 2.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-55697 is a high-severity OS Command Injection (CWE-78) vulnerability in Pnpm Pnpm. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked at the 2.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can install configDependencies declared in pnpm-workspace.yaml before command dispatch. Before the patch, a repository could declare pacquet or @pnpm/pacquet as a config dependency and pnpm treated that repository-controlled dependency…

more

as an install-engine opt-in. During install, pnpm resolved a platform-specific @pacquet/<platform>-<arch>/pacquet binary from node_modules/.pnpm-config/<packageName> and spawned it as the developer or CI user. This vulnerability is fixed in 10.34.2 and 11.5.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1195.001 Compromise Software Dependencies and Development Tools Initial Access
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise.
Why these techniques?

Vuln enables repo-controlled malicious configDependency to be fetched+executed during pnpm install (CWE-829/494/78), directly mapping to compromise of software dependencies.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

pnpm
pnpm
≤ 10.34.2 · 11.0.0 — 11.5.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-829 CWE-494

Enforcing installation policies prevents users from including functionality obtained from untrusted control spheres.

addresses: CWE-829 CWE-494

Strategy mandates assessment of third-party components and suppliers, directly reducing inclusion of functionality from untrusted control spheres.

addresses: CWE-494 CWE-829

Supply chain protection requires integrity verification of acquired components, directly reducing insertion or tampering of malicious code during delivery.

addresses: CWE-829 CWE-494

Limits inclusion of functionality from untrusted sources through supply-chain and component trustworthiness evaluation before integration.

addresses: CWE-494 CWE-829

Component authenticity requires verifying origin/integrity of acquired firmware or software, directly preventing inclusion of code without integrity checks.

addresses: CWE-829 CWE-494

Allocation of supply-chain risk management responsibilities and vetting of the development/operational environment reduce inclusion of functionality from untrusted control spheres.

addresses: CWE-494 CWE-829

Authorizing and controlling mobile code requires verifying origin and integrity before download/execution, directly preventing this weakness.

addresses: CWE-494 CWE-829

Proactive network scanning for malicious code directly detects and blocks downloads that lack integrity verification.

References