CVE-2026-32094

Shescape is a simple shell escape library for JavaScript. Prior to 2.1.10, Shescapeescape does not escape square-bracket glob syntax for Bash, BusyBox sh, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-controlled value like...

@snyk/snyk-cocoapods-plugin (=2.6.0), snyk-docker-plugin (>=8.0.0 <=8.4.0) potentially affected by CVE-2026-32094 via shescape (=2.1.0)

shescape NPM version =2.1.0 is affected by a known vulnerability. The following packages have a transitive dependency on shescape and may be impacted: - @snyk/snyk-cocoapods-plugin =2.6.0 - snyk-docker-plugin =8.0.0, =8.4.0 Source cves: CVE-2026-32094 Source advisory: SNYK:JS-SHESCAPE-15467452...

Improper Encoding or Escaping of Output

Overview shescape is a simple shell escape library Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the escape function. An attacker can cause unintended expansion of shell arguments by supplying input containing square brackets, which may result in...

@adobe/git-server (>=1.0.1 <=1.0.5), @adobe/helix-cli (>=5.7.7 <=6.1.0) +29 more potentially affected by CVE-2026-32094 via shescape (>=1.6.1 <=2.1.0)

shescape NPM version =1.6.1, =1.0.1, =5.7.7, =2.16.1, =1.0.0, =0.1.3, =0.0.7, =0.1.0, =2.3.2, =2.3.2, =2.5.3, =2.6.0 - @snyk/snyk-hex-plugin =1.1.6 - @w3sec/w3security-gradle-plugin =2.27.0 - @xeserv/nixexpr =0.1.0 - addons-linter =1.15.3 and more Source cves: CVE-2026-32094 Source advisory:...

CVE-2026-32094

CVE-2026-32094 affects the JavaScript library Shescape. Prior to 2.1.10, Shescape#escape() does not escape square-bracket glob syntax used by Bash, BusyBox sh, and Dash. If an application interpolates the returned value directly into a shell command, attacker-controlled input such as secret[12] c...

CVE-2026-32094 Shescape escape() leaves bracket glob expansion active on Bash, BusyBox, and Dash

Shescape is a simple shell escape library for JavaScript. Prior to 2.1.10, Shescapeescape does not escape square-bracket glob syntax for Bash, BusyBox sh, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-controlled value like...

Shescape 信息泄露漏洞

Shescape is a simple shell escape program developed by Eric Cornelissen. Versions of Shescape prior to 2.1.10 contained an information leakage vulnerability. This vulnerability stemmed from unescaped bracket wildcard syntax, which could allow attacker-controlled parameters to expand into multiple...

CVE-2026-30916

CVE-2026-30916 relates to the Shescape JavaScript library. Prior to version 2.1.9, an attacker could bypass shell escaping when the configured shell pointed to a file that is a chain of symlinks, potentially exposing sensitive information depending on the shell used. A fix is available in 2.1.9. ...

CVE-2026-30916

...

CVE-2026-30916

...

GHSA-6F6W-6J58-RQ76 Withdrawn Advisory: Shescape has possible misidentification of shell due to link chains

Withdrawn Advisory This advisory has been withdrawn because it falls outside the https://github.com/ericcornelissen/shescape/blob/a2544a1c78cae19d0e81a485b997bf0b0fcc2c12/SECURITY.mdthreat-model. This link is maintained to preserve external references. Original Description Impact This impacts use...

Withdrawn Advisory: Shescape has possible misidentification of shell due to link chains

Withdrawn Advisory This advisory has been withdrawn because it falls outside the https://github.com/ericcornelissen/shescape/blob/a2544a1c78cae19d0e81a485b997bf0b0fcc2c12/SECURITY.mdthreat-model. This link is maintained to preserve external references. Original Description Impact This impacts use...

Symlink Attack

Overview shescape is a simple shell escape library Affected versions of this package are vulnerable to Symlink Attack in resolving shells in unix.js. An attacker can expose sensitive information by configuring the shell path as a symbolic link to another symlink, which may bypass proper escaping ...

CVE-2022-31180

Shescape is a simple shell escape package for JavaScript. Affected versions were found to have insufficient escaping of white space when interpolating output. This issue only impacts users that use the escape or escapeAll functions with the interpolation option set to true. The result is that if ...

CVE-2025-30222 Shescape has potential environment variable exposure on Windows with CMD

Shescape is a simple shell escape library for JavaScript. Versions 1.7.2 through 2.1.1 are vulnerable to potential environment variable exposure on Windows with CMD. This impact users of Shescape on Windows that explicitly configure shell: 'cmd.exe' or shell: true using any of...

Shescape 信息泄露漏洞

Shescape is a simple shell escaping package for JavaScript by the individual developer Eric Cornelissen. An information disclosure vulnerability exists in Shescape versions 1.7.2 through 2.1.1, which stems from the potential exposure of environment variables when using CMD on Windows...

Arbitrary Command Injection

shescape is vulnerable to Arbitrary Command Injection. The vulnerability exists in threaded contexts on Windows, which results in improper escaping of shells, which allows an attacker to bypass shell sanitization...

CVE-2023-40185

shescape is simple shell escape library for JavaScript. This may impact users that use Shescape on Windows in a threaded context. The vulnerability can result in Shescape escaping or quoting for the wrong shell, thus allowing attackers to bypass protections depending on the combination of expecte...

Design/Logic Flaw

shescape is simple shell escape library for JavaScript. This may impact users that use Shescape on Windows in a threaded context. The vulnerability can result in Shescape escaping or quoting for the wrong shell, thus allowing attackers to bypass protections depending on the combination of expecte...

CVE-2023-40185 Shescape on Windows escaping may be bypassed in threaded context

shescape is simple shell escape library for JavaScript. This may impact users that use Shescape on Windows in a threaded context. The vulnerability can result in Shescape escaping or quoting for the wrong shell, thus allowing attackers to bypass protections depending on the combination of expecte...