What is GHSA-vv9j-gjw2-j8wp?

GHSA-vv9j-gjw2-j8wp is a security advisory published by GitHub Security Advisories with High severity. yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation

Which CVE IDs does GHSA-vv9j-gjw2-j8wp cover?

GHSA-vv9j-gjw2-j8wp covers the following CVE IDs: CVE-2026-42089. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-vv9j-gjw2-j8wp?

GHSA-vv9j-gjw2-j8wp has a CVSS v3 base score of 8.6, published by GitHub Security Advisories.

Which products are affected by GHSA-vv9j-gjw2-j8wp?

GHSA-vv9j-gjw2-j8wp affects 1 product, including: npm/yeoman-environment:\u003e= 2.9.0, \u003c 6.0.1.

GHSA-vv9j-gjw2-j8wpHighCVSS 8.6

yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation

Vendor

GitHub Security Advisories

Published

May 26, 2026

Last Modified

May 26, 2026

🔗 CVE IDs covered (1)

CVE-2026-42089 →

📋 Description

Impact

yeoman-environment versions >= 2.9.0 and < 6.0.1 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation and code execution during CLI bootstrap.

The vulnerable method is installLocalGenerators(), which calls repository.install() directly without prompting the user.

Patches

Upgrade to yeoman-environment 6.0.1, which adds an interactive confirmation prompt before installation (PR #753).

Workarounds

None.

Resources

Fix commit 78d2af7

🎯 Affected products1

npm/yeoman-environment:>= 2.9.0, < 6.0.1

🔗 References (3)

https://github.com/yeoman/environment/security/advisories/GHSA-vv9j-gjw2-j8wp
https://github.com/yeoman/environment/commit/78d2af7e60294784b8a8b3b3b5099c6874b6a1fa
https://github.com/advisories/GHSA-vv9j-gjw2-j8wp