CVE-2026-42089 (GCVE-0-2026-42089)
Vulnerability from cvelistv5 – Published: 2026-06-16 16:15 – Updated: 2026-06-16 17:24
VLAI
Title
yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation
Summary
Yeoman Environment provides an API to discover, create, and run generators, and to configure where and how a generator is resolved. Versions 2.9.0 through 6.0.0 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation and code execution during CLI bootstrap. The vulnerable method is installLocalGenerators(), which calls repository.install() directly without prompting the user. This issue has been fixed in version 6.0.0.
Severity
8.6 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/yeoman/environment/security/ad… | x_refsource_CONFIRM |
| https://github.com/yeoman/environment/pull/753 | x_refsource_MISC |
| https://github.com/yeoman/environment/commit/78d2… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| yeoman | environment |
Affected:
>= 2.9.0, < 6.0.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42089",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T17:23:58.864894Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T17:24:07.061Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "environment",
"vendor": "yeoman",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.9.0, \u003c 6.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Yeoman Environment provides an API to discover, create, and run generators, and to configure where and how a generator is resolved. Versions 2.9.0 through 6.0.0 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation and code execution during CLI bootstrap. The vulnerable method is installLocalGenerators(), which calls repository.install() directly without prompting the user. This issue has been fixed in version 6.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-829",
"description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T16:15:04.499Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/yeoman/environment/security/advisories/GHSA-vv9j-gjw2-j8wp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/yeoman/environment/security/advisories/GHSA-vv9j-gjw2-j8wp"
},
{
"name": "https://github.com/yeoman/environment/pull/753",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yeoman/environment/pull/753"
},
{
"name": "https://github.com/yeoman/environment/commit/78d2af7e60294784b8a8b3b3b5099c6874b6a1fa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yeoman/environment/commit/78d2af7e60294784b8a8b3b3b5099c6874b6a1fa"
}
],
"source": {
"advisory": "GHSA-vv9j-gjw2-j8wp",
"discovery": "UNKNOWN"
},
"title": "yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42089",
"datePublished": "2026-06-16T16:15:04.499Z",
"dateReserved": "2026-04-23T19:17:30.566Z",
"dateUpdated": "2026-06-16T17:24:07.061Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-42089",
"date": "2026-06-18",
"epss": "0.00195",
"percentile": "0.09284"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-42089\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-06-16T17:16:40.740\",\"lastModified\":\"2026-06-16T17:35:00.803\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Yeoman Environment provides an API to discover, create, and run generators, and to configure where and how a generator is resolved. Versions 2.9.0 through 6.0.0 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation and code execution during CLI bootstrap. The vulnerable method is installLocalGenerators(), which calls repository.install() directly without prompting the user. This issue has been fixed in version 6.0.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":8.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-829\"}]}],\"references\":[{\"url\":\"https://github.com/yeoman/environment/commit/78d2af7e60294784b8a8b3b3b5099c6874b6a1fa\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/yeoman/environment/pull/753\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/yeoman/environment/security/advisories/GHSA-vv9j-gjw2-j8wp\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-42089\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-16T17:23:58.864894Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-16T17:24:01.019Z\"}}], \"cna\": {\"title\": \"yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation\", \"source\": {\"advisory\": \"GHSA-vv9j-gjw2-j8wp\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.6, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"yeoman\", \"product\": \"environment\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 2.9.0, \u003c 6.0.1\"}]}], \"references\": [{\"url\": \"https://github.com/yeoman/environment/security/advisories/GHSA-vv9j-gjw2-j8wp\", \"name\": \"https://github.com/yeoman/environment/security/advisories/GHSA-vv9j-gjw2-j8wp\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/yeoman/environment/pull/753\", \"name\": \"https://github.com/yeoman/environment/pull/753\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/yeoman/environment/commit/78d2af7e60294784b8a8b3b3b5099c6874b6a1fa\", \"name\": \"https://github.com/yeoman/environment/commit/78d2af7e60294784b8a8b3b3b5099c6874b6a1fa\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Yeoman Environment provides an API to discover, create, and run generators, and to configure where and how a generator is resolved. Versions 2.9.0 through 6.0.0 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation and code execution during CLI bootstrap. The vulnerable method is installLocalGenerators(), which calls repository.install() directly without prompting the user. This issue has been fixed in version 6.0.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-829\", \"description\": \"CWE-829: Inclusion of Functionality from Untrusted Control Sphere\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-16T16:15:04.499Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-42089\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-16T17:24:07.061Z\", \"dateReserved\": \"2026-04-23T19:17:30.566Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-16T16:15:04.499Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…