CVE-2026-42089
Impact
yeoman-environment versions >= 2.9.0 and < 6.0.1 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation and code execution during CLI bootstrap.
The vulnerable method is installLocalGenerators(), which calls repository.install() directly without prompting the user.
Patches
Upgrade to yeoman-environment 6.0.1, which adds an interactive confirmation prompt before installation (PR #753).
Workarounds
None.
Resources
- Fix commit 78d2af7
⚡ Watch CVE-2026-42089
Get an email if CVE-2026-42089 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.14% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 4% of all EPSS-scored CVEs.
Advisory coverage (1)
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-42089)