CVE-2026-45136

claude-code-cache-fix is a cache optimization proxy for Claude Code. From 3.5.0 to before 3.5.2, tools/quota-statusline.sh introduced in v3.5.0 interpolates Claude Code's hook stdin payload directly into a Python triple-quoted string literal. A ''' byte sequence in any user-controlled field of th...

ROOT-APP-NPM-CVE-2021-42740 CVE-2021-42740 in @rootio/shell-quote - Patched by Root

Root has patched CVE-2021-42740 in the @rootio/shell-quote package for Root:npm. Multiple fixed versions available...

openSUSE 16 Security Update : python-pytest-html (openSUSE-SU-2026:20839-1)

The remote openSUSE 16 host has a package installed that is affected by a vulnerability as referenced in the openSUSE- SU-2026:20839-1 advisory. Changes in python-pytest-html: - CVE-2026-9277: shell-quote: improper escaping of newlines bsc1266254 Update the vendored shell-quote to 1.8.4 nodemodul...

CVE-2026-7430 Post Snippets <= 4.0.19 - Authenticated (Administrator+) Stored Cross-Site Scripting via Import

The Post Snippets plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.0.19. This is due to insufficient output escaping of imported snippet content when rendering JavaScript variables in the post editor. Specifically, the jqueryUiDialog method...

Security update for python-pytest-html (important)

openSUSE security update: security update for python-pytest-html ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20839-1 Rating: important References: bsc1266254 Cross-References: CVE-2026-9277 CVSS scores: CVE-2026-9277 SUSE : 8.1...

OPENSUSE-SU-2026:20839-1 Security update for python-pytest-html

This update for python-pytest-html fixes the following issues: Changes in python-pytest-html: - CVE-2026-9277: shell-quote: improper escaping of newlines bsc1266254 Update the vendored shell-quote to 1.8.4 nodemodules...

CVE-2026-45136 claude-code-cache-fix: Local code execution via Python triple-quote injection in tools/quota-statusline.sh

claude-code-cache-fix is a cache optimization proxy for Claude Code. From 3.5.0 to before 3.5.2, tools/quota-statusline.sh introduced in v3.5.0 interpolates Claude Code's hook stdin payload directly into a Python triple-quoted string literal. A ''' byte sequence in any user-controlled field of th...

CVE-2026-45136 claude-code-cache-fix: Local code execution via Python triple-quote injection in tools/quota-statusline.sh

claude-code-cache-fix is a cache optimization proxy for Claude Code. From 3.5.0 to before 3.5.2, tools/quota-statusline.sh introduced in v3.5.0 interpolates Claude Code's hook stdin payload directly into a Python triple-quoted string literal. A ''' byte sequence in any user-controlled field of th...

UBUNTU-CVE-2026-45570

go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, go-git's SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. A repository path containin...

CVE-2026-45570 go-git: Improper single-quote escaping in go-git SSH transport

go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, go-git's SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. A repository path containin...

CVE-2026-45570

Go-git’s SSH transport builds the remote exec command by wrapping the repository path in single quotes without escaping embedded single quotes. Prior to 5.19.1 and 6.0.0-alpha.4, a path containing a single quote could break out of the quoted region and be injected as extra shell tokens, enabling ...

CVE-2026-45570

go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, go-git's SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. A repository path containin...

CVE-2026-8884

The CVE-2026-8884 entry concerns the Instant-Quote.co Quotation Page plugin for WordPress, vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to 1.3.4. The root cause described is insufficient input sanitization and output escaping. The impact stated is that aut...

CVE-2026-8884 Instant-Quote.co Quotation Page <= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Instant-Quote.co Quotation Page plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

Debian dsa-6300 : node-shell-quote - security update

The remote Debian 12 / 13 host has a package installed that is affected by a vulnerability as referenced in the dsa-6300 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6300-1 [email protected] https://www.debian.org/security/...

WordPress plugin Instant-Quote.co Quotation Page 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

WordPress Instant-Quote.co Quotation Page plugin <= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Instant-Quote.co Quotation Page versions = 1.3.4...

SUSE CVE-2026-9277

shell-quote's quote function did not validate object-token inputs against the operator model used by parse. The .op field was backslash-escaped character by character using /./g, which in JavaScript does not match line terminators \n, \r, U+2028, U+2029. A line terminator in .op therefore passed...

CVE-2026-9277

A flaw was found in the shell-quote component. The quote function did not properly validate object-token inputs, allowing line terminators to pass unescaped into the output. A remote attacker could exploit this vulnerability by providing specially crafted input, which a POSIX shell would interpre...

Linux Distros Unpatched Vulnerability : CVE-2026-9277

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - shell-quote's quote function did not validate object-token inputs against the operator model used by parse. The .op field was backslash-escaped character by...