{"id":"CVE-2026-23889","summary":"pnpm has Windows-specific tarball Path Traversal","details":"pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.\\`. On Windows, backslashes are directory separators, enabling path traversal. This vulnerability is Windows-only. This issue impacts Windows pnpm users and Windows CI/CD pipelines (GitHub Actions Windows runners, Azure DevOps). It can lead to overwriting `.npmrc`, build configs, or other files. Version 10.28.1 contains a patch.","aliases":["GHSA-6x96-7vc8-cm3p"],"modified":"2026-04-10T05:39:17.396050Z","published":"2026-01-26T21:50:55.289Z","database_specific":{"cwe_ids":["CWE-22"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23889.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/pnpm/pnpm/releases/tag/v10.28.1"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23889.json"},{"type":"ADVISORY","url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23889"},{"type":"FIX","url":"https://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pnpm/pnpm","events":[{"introduced":"0"},{"fixed":"0b5a56aaec74a51d796adc1828c399ad6319c5be"}]}],"versions":["0.19.0","@pnpm/headless@0.6.2","@pnpm/utils@0.6.1","config/1.0.0","config/1.1.0","config/1.2.0","config/1.2.1","config/1.2.2","config/1.2.3","config/1.2.4","config/1.2.5","config/1.2.6","config/1.2.7","config/1.3.0","config/1.3.1","config/2.0.0","config/2.0.1","config/2.1.0","config/2.1.1","config/2.2.0","core-loggers/0.0.0","default-fetcher/2.0.1","default-fetcher/2.0.2","default-reporter/0.17.0","default-resolver/2.0.2","default-resolver/2.0.3","default-resolver/2.0.4","headless/0.4.0","headless/0.5.0","headless/0.5.1","headless/0.5.2","headless/0.5.3","headless/0.5.4","headless/0.6.0","headless/0.6.1","headless/0.6.3","headless/0.6.4","headless/0.6.5","headless/0.6.7","headless@0.6.6","package-requester/4.1.0","package-requester/4.1.2","package-requester/4.1.3","package-requester/4.1.4","package-requester@4.1.1","package-store/0.23.2","package-store/0.23.3","package-store/0.23.4","pnpm-default-reporter/0.17.1","pnpm-default-reporter/0.17.2","pnpm-default-reporter/0.17.3","pnpm-default-reporter/0.17.4","pnpm-default-reporter/0.17.5","pnpm-default-reporter/0.17.6","pnpm-default-reporter/0.17.7","pnpm-default-reporter/0.17.8","pnpm-default-reporter/0.18.0","pnpm-default-reporter/0.19.0","pnpm-default-reporter/0.19.1","pnpm-default-reporter/0.19.2","pnpm-default-reporter/0.20.0","pnpm-default-reporter/0.20.2","pnpm-default-reporter/0.20.3","pnpm-default-reporter/0.20.4","pnpm-default-reporter/0.20.5","pnpm-default-reporter@0.20.1","server/0.14.1","server/0.14.2","server/0.14.3","supi/0.19.1","supi/0.19.2","supi/0.19.3","supi/0.20.0","supi/0.20.1","supi/0.20.2","supi/0.20.3","supi/0.20.4","supi/0.20.5","supi/0.20.6","supi/0.20.7","supi/0.20.8","supi/0.21.0","supi/0.21.1","supi/0.22.0","supi/0.22.1","supi/0.22.2","supi/0.23.0","supi/0.23.1","supi/0.24.0","supi/0.24.10","supi/0.24.2","supi/0.24.3","supi/0.24.4","supi/0.24.5","supi/0.24.6","supi/0.24.7","supi/0.24.8","supi@0.24.1","supi@0.24.9","utils/0.1.0","utils/0.2.0","utils/0.2.1","utils/0.3.0","utils/0.4.0","utils/0.5.0","utils/0.5.1","utils/0.6.0","utils/0.6.2","utils/0.6.3","utils/0.6.4","utils/0.8.0","utils@0.7.0","v0.1.0","v0.10.0","v0.10.1","v0.11.0","v0.11.1","v0.12.0","v0.13.0","v0.14.0","v0.15.0","v0.16.0","v0.17.0","v0.18.0","v0.2.0","v0.2.1","v0.2.2","v0.20.0","v0.21.0","v0.22.1","v0.23.0","v0.24.0","v0.25.0","v0.26.1","v0.26.2","v0.27.0","v0.28.0","v0.29.0","v0.29.1","v0.3.0","v0.30.0","v0.31.0","v0.31.1","v0.31.2","v0.32.0","v0.32.1","v0.33.0","v0.34.0","v0.35.0","v0.36.0","v0.37.0","v0.38.0","v0.38.1","v0.38.2","v0.39.0","v0.39.1","v0.4.0","v0.4.1","v0.40.0","v0.41.0","v0.42.0","v0.42.1","v0.42.2","v0.42.3","v0.42.4","v0.42.5","v0.42.6","v0.43.0","v0.43.1","v0.43.2","v0.44.0","v0.44.1","v0.45.0","v0.45.1","v0.46.0","v0.47.0","v0.47.1","v0.48.0","v0.48.1","v0.49.0","v0.49.1","v0.49.2","v0.5.0","v0.50.0","v0.51.0","v0.51.1","v0.51.2","v0.51.3","v0.52.0","v0.52.1","v0.53.0","v0.54.0","v0.54.1","v0.55.0","v0.55.1","v0.55.2","v0.55.3","v0.56.0","v0.57.0","v0.57.1","v0.57.2","v0.58.0","v0.59.0","v0.6.1","v0.60.0","v0.60.1","v0.60.2","v0.60.3","v0.61.0","v0.62.0","v0.62.1","v0.62.2","v0.63.0","v0.64.0","v0.64.1","v0.64.2","v0.64.3","v0.64.4","v0.64.5","v0.64.6","v0.64.7","v0.64.8","v0.65.0","v0.65.1","v0.65.2","v0.65.3","v0.65.4","v0.65.5","v0.65.6","v0.65.7","v0.66.0","v0.66.1","v0.66.2","v0.66.3","v0.66.4","v0.67.0","v0.67.1","v0.67.2","v0.67.3","v0.68.0","v0.69.0","v0.69.0-beta.1","v0.69.0-beta.2","v0.69.0-beta.3","v0.69.0-beta.4","v0.69.1","v0.69.2","v0.69.3","v0.69.4","v0.7.0","v0.70.0","v0.70.0-beta.1","v0.70.0-beta.2","v0.70.1","v0.71.0","v0.71.1","v0.72.0","v0.73.0","v0.73.1","v0.73.2","v0.73.3","v0.74.0","v0.74.1","v0.74.2","v0.74.3","v0.74.4","v0.75.0","v0.8.0","v0.8.1","v0.8.2","v0.9.0","v1","v1.0.0","v1.0.1","v1.1.0","v1.10.0","v1.10.1","v1.10.2","v1.11.0","v1.11.1","v1.12.0","v1.13.0","v1.13.1","v1.13.2","v1.14.0","v1.14.10","v1.14.2","v1.14.3","v1.14.4","v1.14.5","v1.14.6","v1.14.7","v1.14.8","v1.14.9","v1.15.0","v1.16.0","v1.16.2","v1.16.3","v1.17.0","v1.17.1","v1.17.2","v1.18.0","v1.18.1","v1.19.0","v1.19.1","v1.19.2","v1.19.3","v1.19.4","v1.19.5","v1.19.6","v1.19.7","v1.2.0","v1.20.0","v1.21.0","v1.22.0","v1.23.0","v1.23.1","v1.23.2","v1.24.0","v1.24.0-2","v1.24.0-3","v1.24.1","v1.24.2","v1.24.3","v1.25.0","v1.25.1","v1.26.0","v1.27.0","v1.27.0-0","v1.27.0-1","v1.28.0","v1.29.1","v1.3.0","v1.3.1","v1.3.2","v1.3.3","v1.3.4","v1.30.0","v1.30.1","v1.30.2","v1.31.0","v1.31.1","v1.31.2","v1.31.3","v1.31.4","v1.31.5","v1.31.6","v1.32.0","v1.32.1","v1.33.0","v1.33.1","v1.33.2","v1.34.0","v1.35.0","v1.35.1","v1.35.10","v1.35.2","v1.35.3","v1.35.4","v1.35.5","v1.35.6","v1.35.7","v1.35.8","v1.35.9","v1.36.0","v1.36.1","v1.36.2","v1.37.0","v1.37.1","v1.37.2","v1.37.3","v1.37.5","v1.38.0","v1.38.2","v1.38.3","v1.39.0","v1.39.1","v1.4.0","v1.40.0","v1.40.1","v1.40.2","v1.41.0","v1.41.1","v1.41.2","v1.41.3","v1.42.0","v1.43.0","v1.43.1","v1.5.0","v1.5.1","v1.5.2","v1.5.3","v1.6.0","v1.6.1","v1.7.0","v1.7.1","v1.8.0","v1.8.1","v1.8.2","v1.9.0","v10.0.0","v10.0.0-alpha.0","v10.0.0-alpha.1","v10.0.0-alpha.2","v10.0.0-alpha.3","v10.0.0-alpha.4","v10.0.0-beta.0","v10.0.0-beta.1","v10.0.0-beta.2","v10.0.0-beta.3","v10.0.0-rc.0","v10.0.0-rc.1","v10.0.0-rc.2","v10.0.0-rc.3","v10.1.0","v10.10.0","v10.11.0","v10.12.1","v10.12.2","v10.12.3","v10.12.4","v10.13.0","v10.13.1","v10.14.0","v10.14.0-0","v10.15.0","v10.15.1","v10.16.0","v10.16.1","v10.17.0","v10.17.1","v10.18.0","v10.18.1","v10.18.2","v10.18.3","v10.19.0","v10.19.1-oidc-test.0","v10.19.1-oidc-test.1","v10.19.1-oidc-test.2","v10.19.1-oidc-test.3","v10.2.0","v10.2.1","v10.20.0","v10.21.0","v10.22.0","v10.23.0","v10.24.0","v10.25.0","v10.26.0","v10.26.1","v10.26.2","v10.27.0","v10.28.0","v10.3.0","v10.4.0","v10.4.1","v10.5.0","v10.5.1","v10.5.2","v10.6.0","v10.6.1","v10.6.2","v10.7.0","v10.8.0","v10.8.1","v10.9.0","v2.0.0","v2.0.0-rc.0","v2.1.0","v2.10.0","v2.10.1","v2.10.2","v2.10.3","v2.10.4","v2.11.0","v2.12.0","v2.12.0-0","v2.12.0-1","v2.12.1","v2.13.0","v2.13.1","v2.13.3","v2.14.0","v2.14.0-0","v2.14.0-1","v2.14.1","v2.14.2","v2.14.3","v2.14.4","v2.14.5","v2.15.0","v2.15.1","v2.15.2","v2.16.0","v2.16.1","v2.17.0","v2.17.0-0","v2.17.0-1","v2.17.0-2","v2.17.0-3","v2.17.0-4","v2.17.0-5","v2.17.1","v2.17.2","v2.17.3","v2.17.4","v2.17.5","v2.17.6","v2.17.7","v2.17.8","v2.18.0","v2.18.2","v2.19.0","v2.19.0-0","v2.19.0-1","v2.19.0-2","v2.19.1","v2.19.2","v2.19.3","v2.19.4","v2.2.0","v2.2.1","v2.2.2","v2.20.0","v2.20.1","v2.21.0","v2.21.1","v2.22.0","v2.22.0-0","v2.23.0","v2.23.0-0","v2.23.1","v2.24.0","v2.24.0-0","v2.24.1","v2.24.2","v2.25.0","v2.25.0-0","v2.25.0-1","v2.25.1","v2.25.2","v2.25.3","v2.25.4","v2.3.0","v2.3.1","v2.4.0","v2.5.0","v2.6.0","v2.6.1","v2.6.2","v2.7.0","v2.8.0","v2.9.0","v3.0.0","v3.0.0-alpha.0","v3.0.0-alpha.1","v3.0.0-alpha.2","v3.0.0-alpha.3","v3.0.0-beta.0","v3.0.0-beta.2","v3.0.1","v3.1.0","v3.1.0-0","v3.1.0-1","v3.1.1","v3.2.0","v3.2.0-0","v3.2.0-1","v3.3.0","v3.3.0-0","v3.3.0-1","v3.3.0-2","v3.3.1","v3.3.2","v3.3.3","v3.3.4","v3.4.0","v3.4.0-0","v3.4.1","v3.5.0","v3.5.0-0","v3.5.0-1","v3.5.0-2","v3.5.0-3","v3.5.1","v3.5.2","v3.5.3","v3.5.5","v3.5.6","v3.5.7","v3.6.0","v3.6.0-0","v3.6.1","v3.6.2","v3.7.0","v3.7.0-0","v3.7.0-1","v3.7.0-2","v3.7.0-3","v3.7.0-4","v3.7.0-5","v3.7.1","v3.7.2","v3.7.3","v3.7.4","v3.7.5","v3.8.0","v3.8.0-0","v3.8.0-1","v3.8.1","v4.0.0","v4.0.0-0","v4.0.0-1","v4.0.0-2","v4.0.0-3","v4.0.0-4","v4.0.0-5","v4.0.0-6","v4.0.0-7","v4.0.0-8","v4.0.1","v4.1.0","v4.1.1","v4.1.2","v4.1.3","v4.1.4","v4.1.5","v4.1.6","v4.10.0","v4.10.0-0","v4.10.0-1","v4.10.0-2","v4.10.0-3","v4.11.0","v4.11.1","v4.11.2","v4.11.3","v4.11.4","v4.12.0","v4.12.0-0","v4.12.0-1","v4.12.1","v4.12.2","v4.12.3","v4.12.4","v4.12.5","v4.13.0","v4.13.0-0","v4.13.0-1","v4.14.0","v4.14.0-0","v4.14.0-1","v4.14.0-2","v4.14.1","v4.2.0","v4.2.0-0","v4.2.2","v4.2.3","v4.3.0","v4.3.0-0","v4.3.1","v4.4.0","v4.4.0-0","v4.4.0-1","v4.4.0-2","v4.5.0","v4.5.0-0","v4.5.0-1","v4.5.0-6","v4.6.0","v4.6.0-0","v4.6.0-1","v4.7.0","v4.7.0-1","v4.7.1","v4.7.2","v4.8.0","v4.8.0-0","v4.8.0-1","v4.9.0","v4.9.0-0","v4.9.0-1","v4.9.0-2","v4.9.0-3","v4.9.0-4","v4.9.1","v4.9.2","v4.9.3","v5.0.0","v5.0.0-0","v5.0.0-1","v5.0.0-alpha.2","v5.0.0-alpha.3","v5.0.0-alpha.4","v5.0.0-alpha.5","v5.0.0-alpha.6","v5.0.0-alpha.7","v5.0.0-rc.0","v5.0.0-rc.1","v5.0.0-rc.2","v5.0.0-rc.3","v5.0.0-rc.4","v5.0.0-rc.5","v5.0.1","v5.0.2","v5.1.0","v5.1.1","v5.1.2","v5.1.3","v5.1.4","v5.1.5","v5.1.6","v5.1.7","v5.1.8","v5.10.0","v5.10.0-0","v5.10.1","v5.10.2","v5.10.3","v5.10.4","v5.11.0","v5.11.1","v5.12.0","v5.13.0","v5.13.1","v5.13.2","v5.13.3","v5.13.4","v5.13.5","v5.13.6","v5.13.7","v5.14.0","v5.14.1","v5.14.2","v5.14.3","v5.15.0","v5.15.1","v5.15.2","v5.15.3","v5.16.0","v5.16.0-0","v5.16.0-1","v5.16.0-2","v5.16.1","v5.17.0","v5.17.1","v5.17.2","v5.17.3","v5.18.0","v5.18.1","v5.2.0","v5.2.0-0","v5.2.1","v5.2.2","v5.2.3","v5.2.4","v5.2.5","v5.2.6","v5.2.8","v5.2.9","v5.3.0","v5.4.0","v5.4.1","v5.4.10","v5.4.11","v5.4.12","v5.4.2","v5.4.3","v5.4.4","v5.4.5","v5.4.6","v5.4.7","v5.4.8","v5.4.9","v5.5.0","v5.5.1","v5.5.10","v5.5.11","v5.5.12","v5.5.13","v5.5.2","v5.5.3","v5.5.4","v5.5.5","v5.5.6","v5.5.7","v5.5.8","v5.5.9","v5.6.0","v5.6.0-0","v5.6.1","v5.7.0","v5.7.0-0","v5.8.0","v5.8.0-0","v5.9.0","v5.9.0-0","v5.9.0-1","v5.9.0-2","v5.9.2","v5.9.3","v6.0.0","v6.0.0-alpha.3","v6.0.0-alpha.4","v6.0.0-alpha.5","v6.0.0-alpha.6","v6.0.0-beta.0","v6.0.0-beta.1","v6.0.0-rc.0","v6.0.0-rc.1","v6.0.1","v6.0.2","v6.1.0","v6.10.0","v6.10.0-0","v6.10.0-1","v6.10.1","v6.10.2","v6.11.0","v6.11.0-0","v6.11.1","v6.11.2","v6.11.5","v6.12.0","v6.12.0-0","v6.12.0-1","v6.12.0-2","v6.12.1","v6.13.0","v6.13.0-0","v6.14.0","v6.14.0-0","v6.14.0-3","v6.14.1","v6.14.2","v6.14.3","v6.14.4","v6.14.4-0","v6.14.4-1","v6.14.5","v6.14.6","v6.14.7","v6.15.0","v6.15.1","v6.15.2","v6.16.0","v6.16.1","v6.17.0","v6.17.1","v6.17.2","v6.18.0","v6.19.0","v6.19.1","v6.2.0","v6.2.1","v6.2.2","v6.2.3","v6.2.4","v6.2.5","v6.20.0","v6.20.1","v6.20.2","v6.20.3","v6.20.4","v6.21.0","v6.21.1","v6.22.0","v6.22.1","v6.22.2","v6.23.0","v6.23.1","v6.23.2","v6.23.3","v6.23.4","v6.23.5","v6.23.6","v6.24.0","v6.24.0-0","v6.24.0-1","v6.24.1","v6.24.2","v6.24.3","v6.24.4","v6.25.0","v6.25.0-0","v6.25.0-1","v6.25.0-2","v6.25.0-3","v6.25.1","v6.26.0","v6.26.1","v6.27.0","v6.3.0","v6.4.0","v6.5.0","v6.6.0","v6.6.1","v6.6.2","v6.7.0","v6.7.1","v6.7.2","v6.7.3","v6.7.4","v6.7.5","v6.7.6","v6.8.0","v6.9.0","v6.9.1","v7.0.0","v7.0.0-alpha.0","v7.0.0-alpha.1","v7.0.0-alpha.2","v7.0.0-alpha.3","v7.0.0-alpha.4","v7.0.0-beta.0","v7.0.0-beta.1","v7.0.0-beta.2","v7.0.0-rc.0","v7.0.0-rc.1","v7.0.0-rc.2","v7.0.0-rc.3","v7.0.0-rc.4","v7.0.0-rc.5","v7.0.0-rc.6","v7.0.0-rc.7","v7.0.0-rc.8","v7.0.0-rc.9","v7.0.1","v7.1.0","v7.1.1","v7.1.2","v7.1.3","v7.1.4","v7.1.5","v7.1.6","v7.1.7","v7.1.8","v7.1.9","v7.10.0","v7.10.0-0","v7.10.0-1","v7.11.0","v7.11.1-0","v7.12.0","v7.12.0-0","v7.12.1","v7.12.2","v7.13.0","v7.13.1","v7.13.2","v7.13.3","v7.13.4","v7.13.5","v7.13.6","v7.14.0","v7.14.1","v7.14.2","v7.15.0","v7.16.0","v7.16.1","v7.17.0","v7.17.1","v7.18.0","v7.18.1","v7.18.2","v7.19.0","v7.2.0","v7.2.1","v7.20.0","v7.21.0","v7.22.0","v7.23.0","v7.24.0","v7.24.1","v7.24.2","v7.24.3","v7.25.0","v7.25.1","v7.26.0","v7.26.1","v7.26.2","v7.26.3","v7.27.0","v7.27.0-0","v7.27.1","v7.28.0","v7.28.0-0","v7.29.0","v7.29.0-0","v7.29.0-1","v7.29.0-2","v7.29.1","v7.29.2","v7.29.3","v7.3.0","v7.30.0","v7.30.0-0","v7.4.0","v7.4.0-0","v7.4.0-1","v7.4.0-2","v7.4.0-3","v7.4.0-4","v7.4.1","v7.5.0","v7.5.1","v7.5.2","v7.6.0","v7.6.0-0","v7.7.0","v7.7.0-0","v7.7.0-1","v7.7.1","v7.8.0","v7.9.0","v7.9.0-0","v7.9.1","v7.9.2","v7.9.3","v7.9.4","v7.9.4-0","v7.9.5","v8.0.0","v8.0.0-beta.1","v8.0.0-rc.0","v8.0.0-rc.1","v8.1.0","v8.1.1","v8.10.0","v8.10.0-0","v8.10.1","v8.10.2","v8.10.3","v8.10.4","v8.10.5","v8.11.0","v8.12.0","v8.12.1","v8.13.1","v8.14.0","v8.2.0","v8.3.0","v8.3.0-0","v8.3.1","v8.4.0","v8.5.0","v8.5.1","v8.6.0","v8.6.1","v8.6.10","v8.6.11","v8.6.12","v8.6.2","v8.6.3","v8.6.4","v8.6.5","v8.6.6","v8.6.7","v8.6.8","v8.6.9","v8.7.0","v8.7.0-0","v8.7.1","v8.7.2","v8.7.3","v8.7.4","v8.7.5","v8.7.6","v8.8.0","v8.9.0","v8.9.0-0","v8.9.0-1","v8.9.1","v8.9.2","v9.0.0","v9.0.0-alpha.0","v9.0.0-alpha.1","v9.0.0-alpha.10","v9.0.0-alpha.2","v9.0.0-alpha.3","v9.0.0-alpha.4","v9.0.0-alpha.5","v9.0.0-alpha.6","v9.0.0-alpha.7","v9.0.0-alpha.8","v9.0.0-alpha.9","v9.0.0-beta.0","v9.0.0-beta.1","v9.0.0-beta.2","v9.0.0-beta.3","v9.0.0-rc.0","v9.0.0-rc.1","v9.0.0-rc.2","v9.0.1","v9.0.2","v9.0.3","v9.0.4","v9.0.5","v9.0.6","v9.1.0","v9.1.0-0","v9.1.1","v9.1.2","v9.1.3","v9.1.4","v9.10.0","v9.11.0","v9.12.0","v9.12.1","v9.12.2","v9.12.3","v9.2.0","v9.3.0","v9.4.0","v9.5.0","v9.5.0-beta.0","v9.5.0-beta.1","v9.5.0-beta.2","v9.5.0-beta.3","v9.6.0","v9.7.0","v9.7.1","v9.8.0","v9.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23889.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}]}