CVE-2025-69262 is a high-severity Command Injection vulnerability in pnpm, a package manager for Node.js. Versions 6.25.0 through 10.26.2 are affected. An attacker who can control environment variables during pnpm operations could achieve Remote Code Execution (RCE) in build environments. The issue is fixed in version 10.27.0. Defenders should prioritize patching due to the high CVSS score of 7.5 and the [truncated]
CVE-2025-69263 is a high-severity vulnerability affecting pnpm, a package manager for Node.js. Versions 10.26.2 and below store HTTP tarball dependencies and git-hosted tarballs in the lockfile without integrity hashes. This oversight allows remote servers to serve different content on each install, even when a lockfile is committed. An attacker can exploit this by publishing a package with an HTTP tarbal [truncated]
