82 matches found
CVE-2026-13311
shell-quote prior to 1.8.5 finalizes parsed tokens in parse using Array.prototype.concat as a reduce accumulator, which reallocates and copies the entire growing array on every iteration. As a result parse runs in On^2 time relative to the number of input tokens. An attacker who can supply an...
CVE-2026-13311 shell-quote parse() is quadratic in token count, enabling denial of service
shell-quote prior to 1.8.5 finalizes parsed tokens in parse using Array.prototype.concat as a reduce accumulator, which reallocates and copies the entire growing array on every iteration. As a result parse runs in On^2 time relative to the number of input tokens. An attacker who can supply an...
CVE-2026-13311
The CVE affects the shell-quote library prior to version 1.8.5. The parse() function accumulates tokens by using Array.prototype.concat as a reduce accumulator, causing O(n^2) time relative to token count and enabling a potential denial of service by blocking the Node.js event loop with small, at...
EUVD-2026-39180
shell-quote prior to 1.8.5 finalizes parsed tokens in parse using Array.prototype.concat as a reduce accumulator, which reallocates and copies the entire growing array on every iteration. As a result parse runs in On^2 time relative to the number of input tokens. An attacker who can supply an...
Astra Linux – Vulnerability in Less
Closealtfile in filename.c in less before 606 omits shellquote calls for LESSCLOSE...
ROOT-APP-NPM-CVE-2026-9277 CVE-2026-9277 in @rootio/shell-quote - Patched by Root
Root has patched CVE-2026-9277 in the @rootio/shell-quote package for Root:npm. Multiple fixed versions available...
Exploit for CVE-2026-9277
CVE-2026-9277 - Shell-Quote Command Injection Expl...
ROOT-APP-NPM-CVE-2021-42740 CVE-2021-42740 in @rootio/shell-quote - Patched by Root
Root has patched CVE-2021-42740 in the @rootio/shell-quote package for Root:npm. Multiple fixed versions available...
Ubuntu 18.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS : shell-quote vulnerability (USN-8410-1)
The remote Ubuntu 18.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS host has a package installed that is affected by a vulnerability as referenced in the USN-8410-1 advisory. Akshat Sinha discovered that shell-quote improperly validated object-token inputs. An attacker could possibly use this...
CVE-2026-46529
Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A single-click remote code execution vulnerability in versions prior to 1.26.3 and 1.28.4 allows an attacker to achieve arbitrary code execution as the user by tricking them into clicking a link inside...
GHSA-W7JW-789Q-3M8P shell-quote quote() does not escape newlines in object .op values
Summary shell-quote's quote function did not validate object-token inputs against the operator model used by parse. The .op field was backslash-escaped character by character using /./g, which in JavaScript does not match line terminators \n, \r, U+2028, U+2029. A line terminator in .op therefore...
-tompan-reacttemplate (>=1.0.1 <=1.1.0), 0726react (=0.1.1) +28795 more potentially affected by CVE-2026-9277 via shell-quote (>=1.3.3 <=1.8.3)
shell-quote NPM version =1.3.3, =1.0.1, =1.1.0 - 0726react =0.1.1 - 0x0.icu.anima =0.1.0 - 0xcorde-pac =1.0.0 - 0xgank-tea-advice-pull =1.0.0 - 0xgank-tea-balance-pencil =1.0.0 - 0xgank-tea-brick-bell =1.0.0 - 0xgank-tea-cake-victory =1.0.0 - 0xgank-tea-central-compound =1.0.0 -...
EUVD-2026-31440
shell-quote quote does not escape newlines in object .op values...
shell-quote quote() does not escape newlines in object .op values
Summary shell-quote's quote function did not validate object-token inputs against the operator model used by parse. The .op field was backslash-escaped character by character using /./g, which in JavaScript does not match line terminators \n, \r, U+2028, U+2029. A line terminator in .op therefore...
USN-8410-1 node-shell-quote vulnerability
Akshat Sinha discovered that shell-quote improperly validated object-token inputs. An attacker could possibly use this issue to cause shell-quote to crash, resulting in a denial of service, or execute arbitrary code...
USN-8410-1: shell-quote vulnerability
Akshat Sinha discovered that shell-quote improperly validated object-token inputs. An attacker could possibly use this issue to cause shell-quote to crash, resulting in a denial of service, or execute arbitrary code...
openSUSE 16 Security Update : python-pytest-html (openSUSE-SU-2026:20839-1)
The remote openSUSE 16 host has a package installed that is affected by a vulnerability as referenced in the openSUSE- SU-2026:20839-1 advisory. Changes in python-pytest-html: - CVE-2026-9277: shell-quote: improper escaping of newlines bsc1266254 Update the vendored shell-quote to 1.8.4 nodemodul...
Security update for python-pytest-html (important)
openSUSE security update: security update for python-pytest-html ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20839-1 Rating: important References: bsc1266254 Cross-References: CVE-2026-9277 CVSS scores: CVE-2026-9277 SUSE : 8.1...
OPENSUSE-SU-2026:20839-1 Security update for python-pytest-html
This update for python-pytest-html fixes the following issues: Changes in python-pytest-html: - CVE-2026-9277: shell-quote: improper escaping of newlines bsc1266254 Update the vendored shell-quote to 1.8.4 nodemodules...
Debian dsa-6300 : node-shell-quote - security update
The remote Debian 12 / 13 host has a package installed that is affected by a vulnerability as referenced in the dsa-6300 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6300-1 [email protected] https://www.debian.org/security/...