CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-vv9j-gjw2-j8wp: yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation

highCVSS 8.6CVE-2026-42089
Impact yeoman-environment versions >= 2.9.0 and < 6.0.1 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation and code execution during CLI bootstrap. The vulnerable method is installLocalGenerators(), which calls repository.install() directly without prompting the user. Patches Upgrade to yeoman-environment 6.0.1, which adds an interactive confirmation prompt before installation (PR #753). Workarounds None. Resources - Fix commit 78d2af7

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
high — CVSS 8.6
Published
2026-05-26
Last updated
2026-07-08
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-vv9j-gjw2-j8wp

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-42089coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories