CVE-2026-48995 – pnpm: Tarball hash of GitHub git dependencies is not stored in lockfile

CVE ID :CVE-2026-48995

Published : June 25, 2026, 4:58 p.m. | 46 minutes ago

Description :pnpm is a package manager. Prior to 10.33.4 and 11.0.7, a malicious codeload.github.com server can serve whatever tarball it wants and pnpm will install it regardless of the lockfile. The lockfile does not store the hash of the dependencies from https://codeload.github.com. This means that if this server was compromised or a person’s machine configuration was compromised, pnpm would download and install these dependencies. This vulnerability is fixed in 10.33.4 and 11.0.7.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…