PatchSiren cyber security CVE debrief
CVE-2026-42089 yeoman CVE debrief
CVE-2026-42089 is a high-severity vulnerability in Yeoman Environment, a tool for discovering, creating, and running generators. The vulnerability affects versions 2.9.0 through 6.0.0 and allows for arbitrary package installation and code execution during CLI bootstrap. This is possible because the `installLocalGenerators()` method installs missing local generator packages from caller-supplied package names without user confirmation. The vulnerability has been fixed in version 6.0.0.
- Vendor
- yeoman
- Product
- environment
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-16
- Original CVE updated
- 2026-06-16
- Advisory published
- 2026-06-16
- Advisory updated
- 2026-06-16
Who should care
Developers and users of Yeoman Environment, especially those who pass attacker-controlled project configuration into the `installLocalGenerators()` method, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The `installLocalGenerators()` method in Yeoman Environment installs missing local generator packages from caller-supplied package names without user confirmation. This allows for arbitrary package installation and code execution during CLI bootstrap. The vulnerability has a CVSS score of 8.6 and is considered high-severity.
Defensive priority
High
Recommended defensive actions
- Upgrade to version 6.0.0 or later of Yeoman Environment.
- Avoid passing attacker-controlled project configuration into the `installLocalGenerators()` method.
Evidence notes
The vulnerability was reported by an unknown vendor and has been confirmed by the Yeoman Environment team. The fix is available in version 6.0.0.
Official resources
CVE-2026-42089 was published on 2026-06-16T17:16:40.740Z and modified on 2026-06-16T17:35:00.803Z.