CVE-2026-23890 - pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_...

CVE ID : CVE-2026-23890 Published : Jan. 26, 2026, 10:15 p.m. | 1 hour, 33 minutes ago Description : pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact. This issue affects all pnpm users who install npm packages and CI/CD pipelines using pnpm. It can lead to overwriting config files, scripts, or other sensitive files. Version 10.28.1 contains a patch. Severity: 6.5 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...