CyberSec.Space Logo
返回 CVE 浏览器

CVE-2026-42089

HIGH
8.6
CVSS Severity Score
EPSS Score0.0650%
EPSS Percentile18.63th
Published2026年6月16日
Last Modified2026年6月16日

Vulnerability Description

Yeoman Environment provides an API to discover, create, and run generators, and to configure where and how a generator is resolved. Versions 2.9.0 through 6.0.0 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation and code execution during CLI bootstrap. The vulnerable method is installLocalGenerators(), which calls repository.install() directly without prompting the user. This issue has been fixed in version 6.0.0.

Affected Platforms (CPE)

No CPE configurations currently published for this record.

References & Advisories

🔗 https://github.com/yeoman/environment/commit/78d2af7e60294784b8a8b3b3b5099c6874b6a1fa
🔗 https://github.com/yeoman/environment/pull/753
🔗 https://github.com/yeoman/environment/security/advisories/GHSA-vv9j-gjw2-j8wp

相关漏洞威胁

CVE-2026-361110.0

The Honeywell IQ4x building management controller, exposes its full web-based HMI without authentication in its factory-default co...

CVE-2026-2018210.0

May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after ...

CVE-2026-2012710.0

A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN M...

CVE-2026-4713710.0

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the fix for GHSA-8hg8-63c5-gwmx (CVE-2023-37903) introduced...