216.73.216.226

CVE-2026-42089

· Published 16/06/2026 19:16 · Modified 16/06/2026 17:35 · Author: The MITRE Corporation

Labels: CVE-2026-42089 2026-06-16CVE-2026-42089CWE-829[email protected]

Essential information

Published
16/06/2026 19:16
Modified
16/06/2026 17:35
Author
The MITRE Corporation
Creator
The MITRE Corporation
CVSS
8.6 HIGH (v3.1)
CISA KEV
No
CWE
CWE-829
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CVSS metrics

Description

Yeoman Environment provides an API to discover, create, and run generators, and to configure where and how a generator is resolved. Versions 2.9.0 through 6.0.0 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation and code execution during CLI bootstrap. The vulnerable method is installLocalGenerators(), which calls repository.install() directly without prompting the user. This issue has been fixed in version 6.0.0.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
yeoman / yeoman cpe:2.3:a:yeoman:yeoman:2.9.0-6.0.0:*:*:*:*:*:*:*
yeoman / yeoman cpe:2.3:a:yeoman:yeoman:6.0.0:*:*:*:*:*:*:*

References