CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-42089

highCVSS 8.6covered by 1 sourcefirst seen 2026-05-26
Impact yeoman-environment versions >= 2.9.0 and < 6.0.1 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation and code execution during CLI bootstrap. The vulnerable method is installLocalGenerators(), which calls repository.install() directly without prompting the user. Patches Upgrade to yeoman-environment 6.0.1, which adds an interactive confirmation prompt before installation (PR #753). Workarounds None. Resources - Fix commit 78d2af7

⚡ Watch CVE-2026-42089

Get an email if CVE-2026-42089 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-42089

CVE.org record

Embed the live status

CVE-2026-42089 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-42089 status](https://www.csirts.com/badge/CVE-2026-42089)](https://www.csirts.com/cve/CVE-2026-42089)