PatchSiren cyber security CVE debrief
CVE-2026-59194 pnpm CVE debrief
CVE-2026-59194 is a vulnerability in pnpm, a package manager, where a crafted patch entry could resolve outside the configured patches directory and cause pnpm patch-remove to delete an arbitrary reachable file. This issue is fixed in pnpm versions 10.34.4 and 11.7.0. The vulnerability has a CVSS score of 7.1 and is considered HIGH severity. Users of pnpm package manager, especially those using versions prior to 10.34.4 or 11.7.0, should be aware of this vulnerability and take steps to update their installations.
- Vendor
- pnpm
- Product
- Unknown
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-06
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-06
- Advisory updated
- 2026-07-07
Who should care
Users of pnpm package manager, especially those using versions prior to 10.34.4 or 11.7.0, should be aware of this vulnerability and take steps to update their installations. This includes administrators and developers who use pnpm for package management in their projects.
Technical summary
The vulnerability exists in the pnpm package manager, where a crafted patch entry can be used to delete arbitrary files reachable by the user running the 'pnpm patch-remove' command. The issue arises because the patch entry can resolve outside the configured patches directory. This vulnerability has been assigned a CVSS score of 7.1 and is considered HIGH severity. The vulnerability is fixed in pnpm versions 10.34.4 and 11.7.0.
Defensive priority
High priority should be given to updating pnpm to versions 10.34.4 or 11.7.0, or later, to mitigate this vulnerability.
Recommended defensive actions
- Update pnpm to version 10.34.4 or 11.7.0, or later.
- Review and restrict patch entries to ensure they do not resolve outside the configured patches directory.
- Monitor systems for unauthorized file deletions.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
Evidence notes
The CVE record was published on 2026-07-06T16:16:37.550Z and was last modified on 2026-07-07T19:08:57.837Z. The NVD entry is currently Analyzed. The vulnerability exists in pnpm package manager versions prior to 10.34.4 and 11.7.0. Evidence of exploitation is not currently available. Defenders should verify patch applicability and system exposure.
Official resources
-
CVE-2026-59194 CVE record
CVE.org
-
CVE-2026-59194 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory, Exploit
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T16:16:37.550Z and has not been modified since then. The NVD entry is currently Analyzed.