CyberSec.Space Logo
Back to CVE Browser

CVE-2026-42089

HIGH
8.6
CVSS Severity Score
EPSS Score0.0650%
EPSS Percentile18.63th
PublishedJun 16, 2026
Last ModifiedJun 16, 2026

Vulnerability Description

Yeoman Environment provides an API to discover, create, and run generators, and to configure where and how a generator is resolved. Versions 2.9.0 through 6.0.0 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation and code execution during CLI bootstrap. The vulnerable method is installLocalGenerators(), which calls repository.install() directly without prompting the user. This issue has been fixed in version 6.0.0.

Affected Platforms (CPE)

No CPE configurations currently published for this record.

References & Advisories

🔗 https://github.com/yeoman/environment/commit/78d2af7e60294784b8a8b3b3b5099c6874b6a1fa
🔗 https://github.com/yeoman/environment/pull/753
🔗 https://github.com/yeoman/environment/security/advisories/GHSA-vv9j-gjw2-j8wp

Related Vulnerabilities

CVE-2026-4077210.0

Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions.

CVE-2026-4669510.0

Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within the...

CVE-2026-4926110.0

MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through 10.11.17, 11.4.1 th...

CVE-2026-2012710.0

A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN M...