CVE-2026-42089
Deferred Deferred - Pending Action
Remote Code Execution in Yeoman Environment

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: GitHub, Inc.

Description
Yeoman Environment provides an API to discover, create, and run generators, and to configure where and how a generator is resolved. Versions 2.9.0 through 6.0.0 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation and code execution during CLI bootstrap. The vulnerable method is installLocalGenerators(), which calls repository.install() directly without prompting the user. This issue has been fixed in version 6.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-42089
EUVD
EUVD-2026-37131
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
yeoman yeoman From 2.9.0 (inc) to 6.0.0 (inc)
yeoman environment 6.0.0
yeoman environment From 2.9.0 (inc) to 6.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in Yeoman Environment versions 2.9.0 through 6.0.0 in the method installLocalGenerators(). This method installs missing local generator packages from package names supplied by the caller without asking the user for confirmation.

If an attacker can control the project configuration passed to this method, they can cause arbitrary packages to be installed during the CLI bootstrap process without the user's knowledge or consent.

This can lead to arbitrary code execution because malicious packages could be installed and run automatically.

The issue was fixed in version 6.0.0 by adding a prompt that asks users for confirmation before installing local packages.

Impact Analysis

This vulnerability can lead to arbitrary code execution on your system if you use a vulnerable version of Yeoman Environment and an attacker can supply malicious project configuration.

Because the method installs packages without user confirmation, malicious packages could be installed and executed during the CLI bootstrap process.

This could compromise the security and integrity of your development environment or system, potentially leading to data loss, unauthorized access, or further exploitation.

Detection Guidance

This vulnerability occurs when Yeoman Environment versions 2.9.0 through 6.0.0 install local generator packages without user confirmation, potentially allowing arbitrary package installation and code execution.

To detect if your system is vulnerable, first check the installed version of yeoman-environment. If it is between 2.9.0 and 6.0.0 (inclusive), it is vulnerable.

  • Run the command to check the installed version: `npm list yeoman-environment` or `npm ls yeoman-environment`
  • Alternatively, check the version via: `npm ls yeoman-environment --depth=0`

Since the vulnerability involves automatic installation of packages from attacker-controlled input during CLI bootstrap, monitoring unexpected package installations or suspicious CLI bootstrap activity may help detect exploitation attempts.

Mitigation Strategies

The primary mitigation is to upgrade yeoman-environment to version 6.0.1 or later, where the vulnerability is fixed by adding a user confirmation prompt before installing local packages.

If upgrading immediately is not possible, consider auditing and restricting the input sources that provide project configuration to Yeoman to prevent attacker-controlled package names from being passed.

No workarounds are officially available, so upgrading is the recommended immediate step.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42089. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart