CyberRota
← Ana sayfaya dön

CVE-2026-48995

HIGH · CVSS 7.5 EPSS %0.12 Public Exploit

Kaynak: NVD + CISA KEV + EPSS · Yayınlanma: 2026-06-25T18:16:38.687 · Çekilme zamanı: 2026-06-30T18:34:10.645582+00:00

CyberRota Yorumu

Detaylı analiz gerekiyor.

Public Exploit Sinyali

Bu CVE için açıklama veya referanslarda public exploit / PoC / GitHub / Metasploit sinyali tespit edildi.

GitHub PoC Linkleri
github.com

Not: Bu bağlantılar yalnızca güvenlik araştırması ve doğrulama amacıyla listelenmiştir.

CVE
CVE-2026-48995
Severity
HIGH
CVSS
7.5
EPSS
%0.12
GitHub

Orijinal NVD Açıklaması

pnpm is a package manager. Prior to 10.33.4 and 11.0.7, a malicious codeload.github.com server can serve whatever tarball it wants and pnpm will install it regardless of the lockfile. The lockfile does not store the hash of the dependencies from https://codeload.github.com. This means that if this server was compromised or a person's machine configuration was compromised, pnpm would download and install these dependencies. This vulnerability is fixed in 10.33.4 and 11.0.7.