Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

7 matches found

NVD
NVDadded 2026/03/11 8:16 p.m.2 views

CVE-2026-32094

Shescape is a simple shell escape library for JavaScript. Prior to 2.1.10, Shescapeescape does not escape square-bracket glob syntax for Bash, BusyBox sh, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-controlled value like...

6.9CVSS0.00056EPSS
Exploits1References2
Cvelist
Cvelistadded 2026/03/11 7:50 p.m.24 views

CVE-2026-32094 Shescape escape() leaves bracket glob expansion active on Bash, BusyBox, and Dash

Shescape is a simple shell escape library for JavaScript. Prior to 2.1.10, Shescapeescape does not escape square-bracket glob syntax for Bash, BusyBox sh, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-controlled value like...

6.9CVSS0.00056EPSS
Exploits1References2
ATTACKERKB
ATTACKERKBadded 2026/03/11 7:50 p.m.1 views

CVE-2026-32094

Shescape is a simple shell escape library for JavaScript. Prior to 2.1.10, Shescapeescape does not escape square-bracket glob syntax for Bash, BusyBox sh, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-controlled value like...

6.9CVSS5.8AI score0.00056EPSS
Exploits1References3Affected Software1
Positive Technologies
Positive Technologiesadded 2026/03/11 12:0 a.m.2 views

PT-2026-24813

Summary Shescapeescape does not escape square-bracket glob syntax for Bash, BusyBox sh, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-controlled value like secret12 to expand into multiple filesystem matches instead of a single...

6.9CVSS5.9AI score0.00056EPSS
Exploits1References11
EUVD
EUVDadded 2026/03/09 10:48 p.m.1 views

EUVD-2026-10424

Shescape is a simple shell escape library for JavaScript. Prior to 2.1.9, an attacker may be able to bypass escaping for the shell being used. This can result, for example, in exposure of sensitive information. This impacts users of Shescape that configure their shell to point to a file on disk...

6.3CVSS5.8AI score0.00052EPSS
Exploits0References3
CVE
CVEadded 2025/03/25 11:0 p.m.67 views

CVE-2025-30222

Shescape vulnerability (CVE-2025-30222) affects versions 1.7.2–2.1.1 of the JavaScript shell-escape library. On Windows, when shell: 'cmd.exe' or shell: true is configured and any of quote/quoteAll/escape/escapeAll is used, an attacker may gain read-only access to environment variables due to env...

5.9CVSS7AI score0.00107EPSS
Exploits0References4
OSV
OSVadded 2025/03/25 11:0 p.m.5 views

CVE-2025-30222 Shescape has potential environment variable exposure on Windows with CMD

Shescape is a simple shell escape library for JavaScript. Versions 1.7.2 through 2.1.1 are vulnerable to potential environment variable exposure on Windows with CMD. This impact users of Shescape on Windows that explicitly configure shell: 'cmd.exe' or shell: true using any of...

5.9CVSS6.7AI score0.00107EPSS
Exploits0References6
Rows per page
Query Builder