PatchSiren cyber security CVE debrief
CVE-2026-0775 npm CVE debrief
CVE-2026-0775 is a HIGH severity vulnerability in npm cli that allows local attackers to escalate privileges. The vulnerability exists within the handling of modules, where the application loads modules from an unsecured location. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The vulnerability was reported by Zerodayinitiative and has a CVSS score of 7. The CVE was published on January 23, 2026, and last modified on June 30, 2026.
- Vendor
- npm
- Product
- cli
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-23
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-01-23
- Advisory updated
- 2026-06-30
Who should care
Administrators and users of npm cli should be aware of this vulnerability and take steps to mitigate it. The vulnerability allows local attackers to escalate privileges, which could lead to arbitrary code execution in the context of a target user. Users with low-privileged code execution capabilities on the target system are at risk.
Technical summary
The vulnerability exists within the handling of modules in npm cli. The application loads modules from an unsecured location, allowing an attacker to leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. The CVSS vector for this vulnerability is CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The weakness associated with this vulnerability is CWE-732.
Defensive priority
This vulnerability has a HIGH severity and a CVSS score of 7, indicating a significant risk to affected systems. Administrators should prioritize patching or mitigating this vulnerability as soon as possible.
Recommended defensive actions
- Apply the patch or update provided by the vendor to address the vulnerability.
- Restrict access to the npm cli to only trusted users and limit the privileges of low-privileged users.
- Monitor systems for suspicious activity and implement compensating controls to detect and prevent exploitation.
- Consider implementing additional security measures such as SELinux or other mandatory access control systems to restrict access to sensitive resources.
- Keep the npm cli and its dependencies up to date to ensure the latest security patches are applied.
Evidence notes
The CVE-2026-0775 vulnerability was reported by Zerodayinitiative and has a CVSS score of 7. The CVE was published on January 23, 2026, and last modified on June 30, 2026. The vulnerability exists within the handling of modules in npm cli, and the application loads modules from an unsecured location. The weakness associated with this vulnerability is CWE-732.
Official resources
-
CVE-2026-0775 CVE record
CVE.org
-
CVE-2026-0775 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.