Lucene search
K

88 matches found

RedhatCVE
RedhatCVE
added 2026/06/25 11:23 p.m.11 views

CVE-2026-13311

A flaw was found in the shell-quote component. An attacker who can supply a specially crafted string to the parse function can exploit an inefficiency in how the component processes input. This can cause the single-threaded Node.js event loop to be blocked for an extended period, leading to a...

8.7CVSS6.2AI score0.0036EPSS
Exploits0References5
OSV
OSV
added 2026/06/25 5:16 a.m.2 views

DEBIAN-CVE-2026-13311

shell-quote prior to 1.8.5 finalizes parsed tokens in parse using Array.prototype.concat as a reduce accumulator, which reallocates and copies the entire growing array on every iteration. As a result parse runs in On^2 time relative to the number of input tokens. An attacker who can supply an...

8.7CVSS6.3AI score0.0036EPSS
Exploits0References1
NVD
NVD
added 2026/06/25 5:16 a.m.9 views

CVE-2026-13311

shell-quote prior to 1.8.5 finalizes parsed tokens in parse using Array.prototype.concat as a reduce accumulator, which reallocates and copies the entire growing array on every iteration. As a result parse runs in On^2 time relative to the number of input tokens. An attacker who can supply an...

8.7CVSS0.0036EPSS
Exploits0References2
OSV
OSV
added 2026/06/25 5:16 a.m.3 views

UBUNTU-CVE-2026-13311

shell-quote prior to 1.8.5 finalizes parsed tokens in parse using Array.prototype.concat as a reduce accumulator, which reallocates and copies the entire growing array on every iteration. As a result parse runs in On^2 time relative to the number of input tokens. An attacker who can supply an...

8.7CVSS6.3AI score0.0036EPSS
Exploits0References4
CVE
CVE
added 2026/06/25 4:48 a.m.33 views

CVE-2026-13311

The CVE affects the shell-quote library prior to version 1.8.5. The parse() function accumulates tokens by using Array.prototype.concat as a reduce accumulator, causing O(n^2) time relative to token count and enabling a potential denial of service by blocking the Node.js event loop with small, at...

8.7CVSS6.3AI score0.0036EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/06/25 4:48 a.m.5 views

EUVD-2026-39180

shell-quote prior to 1.8.5 finalizes parsed tokens in parse using Array.prototype.concat as a reduce accumulator, which reallocates and copies the entire growing array on every iteration. As a result parse runs in On^2 time relative to the number of input tokens. An attacker who can supply an...

8.7CVSS6.3AI score0.0036EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/25 4:48 a.m.37 views

CVE-2026-13311 shell-quote parse() is quadratic in token count, enabling denial of service

shell-quote prior to 1.8.5 finalizes parsed tokens in parse using Array.prototype.concat as a reduce accumulator, which reallocates and copies the entire growing array on every iteration. As a result parse runs in On^2 time relative to the number of input tokens. An attacker who can supply an...

8.7CVSS0.0036EPSS
Exploits0References2
Debian CVE
Debian CVE
added 2026/06/25 4:48 a.m.4 views

CVE-2026-13311

shell-quote prior to 1.8.5 finalizes parsed tokens in parse using Array.prototype.concat as a reduce accumulator, which reallocates and copies the entire growing array on every iteration. As a result parse runs in On^2 time relative to the number of input tokens. An attacker who can supply an...

8.7CVSS6.3AI score0.0036EPSS
Exploits0
Positive Technologies
Positive Technologies
added 2026/06/25 12:0 a.m.18 views

PT-2026-52200

Name of the Vulnerable Software and Affected Versions shell-quote versions prior to 1.8.5 Description The parse function finalizes parsed tokens using Array.prototype.concat as a reduce accumulator, causing the entire growing array to be reallocated and copied during every iteration. This results...

8.7CVSS6.2AI score0.0036EPSS
Exploits0References14
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.6 views

Astra Linux – Vulnerability in Less

Closealtfile in filename.c in less before 606 omits shellquote calls for LESSCLOSE...

7.8CVSS6.6AI score0.01059EPSS
Exploits0References2
OSV
OSV
added 2026/06/15 1:47 p.m.5 views

ROOT-APP-NPM-CVE-2026-9277 CVE-2026-9277 in @rootio/shell-quote - Patched by Root

Root has patched CVE-2026-9277 in the @rootio/shell-quote package for Root:npm. Multiple fixed versions available...

9.2CVSS5.3AI score0.00848EPSS
Exploits1
GithubExploit
GithubExploit
added 2026/06/15 1:37 p.m.114 views

Exploit for CVE-2026-9277

CVE-2026-9277 - Shell-Quote Command Injection Expl...

9.2CVSS5.3AI score0.00848EPSS
Exploits1
OSV
OSV
added 2026/06/15 7:18 a.m.10 views

ROOT-APP-NPM-CVE-2021-42740 CVE-2021-42740 in @rootio/shell-quote - Patched by Root

Root has patched CVE-2021-42740 in the @rootio/shell-quote package for Root:npm. Multiple fixed versions available...

9.8CVSS7.3AI score0.0434EPSS
Exploits0
Tenable Nessus
Tenable Nessus
added 2026/06/11 12:0 a.m.4 views

Ubuntu 18.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS : shell-quote vulnerability (USN-8410-1)

The remote Ubuntu 18.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS host has a package installed that is affected by a vulnerability as referenced in the USN-8410-1 advisory. Akshat Sinha discovered that shell-quote improperly validated object-token inputs. An attacker could possibly use this...

9.2CVSS5.7AI score0.00848EPSS
Exploits1References2
Debian CVE
Debian CVE
added 2026/06/10 7:46 p.m.8 views

CVE-2026-46529

Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A single-click remote code execution vulnerability in versions prior to 1.26.3 and 1.28.4 allows an attacker to achieve arbitrary code execution as the user by tricking them into clicking a link inside...

8.4CVSS6.5AI score0.00529EPSS
Exploits0
Veracode
Veracode
added 2026/06/10 3:15 p.m.7 views

OS Command Injection

shell-quote is vulnerable to OS Command Injection. The vulnerability is due to insufficient validation and escaping of object-token .op inputs in the quote function, which allows an attacker to inject line terminators and execute arbitrary shell commands when the generated output is processed by ...

9.2CVSS6.2AI score0.00848EPSS
Exploits1References26Affected Software1
vulnersOsv
vulnersOsv
added 2026/06/09 2:27 p.m.5 views

-tompan-reacttemplate (>=1.0.1 <=1.1.0), 0726react (=0.1.1) +28725 more potentially affected by CVE-2026-9277 via shell-quote (>=1.3.3 <=1.8.3)

shell-quote NPM version =1.3.3, =1.0.1, =1.1.0 - 0726react =0.1.1 - 0x0.icu.anima =0.1.0 - 0xcorde-pac =1.0.0 - 0xgank-tea-advice-pull =1.0.0 - 0xgank-tea-balance-pencil =1.0.0 - 0xgank-tea-brick-bell =1.0.0 - 0xgank-tea-cake-victory =1.0.0 - 0xgank-tea-central-compound =1.0.0 -...

9.2CVSS5.7AI score0.00848EPSS
Exploits1
EUVD
EUVD
added 2026/06/09 2:27 p.m.10 views

EUVD-2026-31440

shell-quote quote does not escape newlines in object .op values...

9.2CVSS5.4AI score0.00848EPSS
Exploits1References6
Github Security Blog
Github Security Blog
added 2026/06/09 2:27 p.m.25 views

shell-quote quote() does not escape newlines in object .op values

Summary shell-quote's quote function did not validate object-token inputs against the operator model used by parse. The .op field was backslash-escaped character by character using /./g, which in JavaScript does not match line terminators \n, \r, U+2028, U+2029. A line terminator in .op therefore...

9.2CVSS5.6AI score0.00848EPSS
Exploits1References7Affected Software1
OSV
OSV
added 2026/06/09 2:27 p.m.51 views

GHSA-W7JW-789Q-3M8P shell-quote quote() does not escape newlines in object .op values

Summary shell-quote's quote function did not validate object-token inputs against the operator model used by parse. The .op field was backslash-escaped character by character using /./g, which in JavaScript does not match line terminators \n, \r, U+2028, U+2029. A line terminator in .op therefore...

9.2CVSS5.6AI score0.00848EPSS
Exploits1References6
Rows per page
Query Builder