PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-59194 pnpm CVE debrief

CVE-2026-59194 is a vulnerability in pnpm, a package manager, where a crafted patch entry could resolve outside the configured patches directory and cause pnpm patch-remove to delete an arbitrary reachable file. This issue is fixed in pnpm versions 10.34.4 and 11.7.0. The vulnerability has a CVSS score of 7.1 and is considered HIGH severity. Users of pnpm package manager, especially those using versions prior to 10.34.4 or 11.7.0, should be aware of this vulnerability and take steps to update their installations.

Vendor
pnpm
Product
Unknown
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-06
Original CVE updated
2026-07-07
Advisory published
2026-07-06
Advisory updated
2026-07-07

Who should care

Users of pnpm package manager, especially those using versions prior to 10.34.4 or 11.7.0, should be aware of this vulnerability and take steps to update their installations. This includes administrators and developers who use pnpm for package management in their projects.

Technical summary

The vulnerability exists in the pnpm package manager, where a crafted patch entry can be used to delete arbitrary files reachable by the user running the 'pnpm patch-remove' command. The issue arises because the patch entry can resolve outside the configured patches directory. This vulnerability has been assigned a CVSS score of 7.1 and is considered HIGH severity. The vulnerability is fixed in pnpm versions 10.34.4 and 11.7.0.

Defensive priority

High priority should be given to updating pnpm to versions 10.34.4 or 11.7.0, or later, to mitigate this vulnerability.

Recommended defensive actions

  • Update pnpm to version 10.34.4 or 11.7.0, or later.
  • Review and restrict patch entries to ensure they do not resolve outside the configured patches directory.
  • Monitor systems for unauthorized file deletions.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.

Evidence notes

The CVE record was published on 2026-07-06T16:16:37.550Z and was last modified on 2026-07-07T19:08:57.837Z. The NVD entry is currently Analyzed. The vulnerability exists in pnpm package manager versions prior to 10.34.4 and 11.7.0. Evidence of exploitation is not currently available. Defenders should verify patch applicability and system exposure.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T16:16:37.550Z and has not been modified since then. The NVD entry is currently Analyzed.