128 matches found
CVE-2026-32094
Shescape is a simple shell escape library for JavaScript. Prior to 2.1.10, Shescapeescape does not escape square-bracket glob syntax for Bash, BusyBox sh, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-controlled value like...
@snyk/snyk-cocoapods-plugin (=2.6.0), snyk-docker-plugin (>=8.0.0 <=8.4.0) potentially affected by CVE-2026-32094 via shescape (=2.1.0)
shescape NPM version =2.1.0 is affected by a known vulnerability. The following packages have a transitive dependency on shescape and may be impacted: - @snyk/snyk-cocoapods-plugin =2.6.0 - snyk-docker-plugin =8.0.0, =8.4.0 Source cves: CVE-2026-32094 Source advisory: SNYK:JS-SHESCAPE-15467452...
Improper Encoding or Escaping of Output
Overview shescape is a simple shell escape library Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the escape function. An attacker can cause unintended expansion of shell arguments by supplying input containing square brackets, which may result in...
CVE-2026-32094
Shescape is a simple shell escape library for JavaScript. Prior to 2.1.10, Shescapeescape does not escape square-bracket glob syntax for Bash, BusyBox sh, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-controlled value like...
@adobe/git-server (>=1.0.1 <=1.0.5), @adobe/helix-cli (>=5.7.7 <=6.1.0) +29 more potentially affected by CVE-2026-32094 via shescape (>=1.6.1 <=2.1.0)
shescape NPM version =1.6.1, =1.0.1, =5.7.7, =2.16.1, =1.0.0, =0.1.3, =0.0.7, =0.1.0, =2.3.2, =2.3.2, =2.5.3, =2.6.0 - @snyk/snyk-hex-plugin =1.1.6 - @w3sec/w3security-gradle-plugin =2.27.0 - @xeserv/nixexpr =0.1.0 - addons-linter =1.15.3 and more Source cves: CVE-2026-32094 Source advisory:...
CVE-2026-32094
CVE-2026-32094 affects the JavaScript library Shescape. Prior to 2.1.10, Shescape#escape() does not escape square-bracket glob syntax used by Bash, BusyBox sh, and Dash. If an application interpolates the returned value directly into a shell command, attacker-controlled input such as secret[12] c...
CVE-2026-32094 Shescape escape() leaves bracket glob expansion active on Bash, BusyBox, and Dash
Shescape is a simple shell escape library for JavaScript. Prior to 2.1.10, Shescapeescape does not escape square-bracket glob syntax for Bash, BusyBox sh, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-controlled value like...
CVE-2026-32094 Shescape escape() leaves bracket glob expansion active on Bash, BusyBox, and Dash
Shescape is a simple shell escape library for JavaScript. Prior to 2.1.10, Shescapeescape does not escape square-bracket glob syntax for Bash, BusyBox sh, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-controlled value like...
CVE-2026-32094
Shescape is a simple shell escape library for JavaScript. Prior to 2.1.10, Shescapeescape does not escape square-bracket glob syntax for Bash, BusyBox sh, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-controlled value like...
CVE-2026-30916
Shescape is a simple shell escape library for JavaScript. Prior to 2.1.9, an attacker may be able to bypass escaping for the shell being used. This can result, for example, in exposure of sensitive information. This impacts users of Shescape that configure their shell to point to a file on disk...
Shescape 信息泄露漏洞
Shescape is a simple shell escape program developed by Eric Cornelissen. Versions of Shescape prior to 2.1.10 contained an information leakage vulnerability. This vulnerability stemmed from unescaped bracket wildcard syntax, which could allow attacker-controlled parameters to expand into multiple...
PT-2026-24813
Summary Shescapeescape does not escape square-bracket glob syntax for Bash, BusyBox sh, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-controlled value like secret12 to expand into multiple filesystem matches instead of a single...
CVE-2026-30916
Rejected reason: REJECT DO NOT USE THIS CANDIDATE NUMBER. Reason: Further investigation determined that the software behavior described did not falls within the project's threat model. See https://github.com/github/advisory-database/pull/7206 for more information...
CVE-2026-30916
CVE-2026-30916 relates to the Shescape JavaScript library. Prior to version 2.1.9, an attacker could bypass shell escaping when the configured shell pointed to a file that is a chain of symlinks, potentially exposing sensitive information depending on the shell used. A fix is available in 2.1.9. ...
CVE-2026-30916
REJECT DO NOT USE THIS CANDIDATE NUMBER. Reason: Further investigation determined that the software behavior described did not falls within the project's threat model. See https://github.com/github/advisory-database/pull/7206 for more information...
EUVD-2026-10425
Shescape is a simple shell escape library for JavaScript. Prior to 2.1.9, an attacker may be able to bypass escaping for the shell being used. This can result, for example, in exposure of sensitive information. This impacts users of Shescape that configure their shell to point to a file on disk...
EUVD-2026-10424
Shescape is a simple shell escape library for JavaScript. Prior to 2.1.9, an attacker may be able to bypass escaping for the shell being used. This can result, for example, in exposure of sensitive information. This impacts users of Shescape that configure their shell to point to a file on disk...
CVE-2026-30916
...
CVE-2026-30916
...
Withdrawn Advisory: Shescape has possible misidentification of shell due to link chains
Withdrawn Advisory This advisory has been withdrawn because it falls outside the https://github.com/ericcornelissen/shescape/blob/a2544a1c78cae19d0e81a485b997bf0b0fcc2c12/SECURITY.mdthreat-model. This link is maintained to preserve external references. Original Description Impact This impacts use...