23 matches found
CVE-2026-30916
REJECT DO NOT USE THIS CANDIDATE NUMBER. Reason: Further investigation determined that the software behavior described did not falls within the project's threat model. See https://github.com/github/advisory-database/pull/7206 for more information...
@coder/cmux (>=0.3.0-next.64.g5f200a6 <=0.5.1-next.10.g83f9dd4), @dccxx/auggie-shell-mcp (>=1.0.6 <=1.0.29) +14 more potentially affected by CVE-2026-30916 via shescape (>=2.1.0 <=2.1.6)
shescape NPM version =2.1.0, =0.3.0-next.64.g5f200a6, =1.0.6, =0.1.0, =0.9.22, =2.6.0, =2.0.0, =1.1.0, =0.1.24, =0.5.1-next.11.g2647a3c, =0.3.0, =8.0.0, =6.0.0, =4.0.0, =3.0.0, =3.2.1 and more Source cves: CVE-2026-30916 Source advisory: SNYK:JS-SHESCAPE-15440479...
CVE-2023-40185
shescape is simple shell escape library for JavaScript. This may impact users that use Shescape on Windows in a threaded context. The vulnerability can result in Shescape escaping or quoting for the wrong shell, thus allowing attackers to bypass protections depending on the combination of expecte...
CVE-2022-31179
Shescape is a simple shell escape package for JavaScript. Versions prior to 1.5.8 were found to be subject to code injection on windows. This impacts users that use Shescape any API function to escape arguments for cmd.exe on Windows An attacker can omit all arguments following their input by...
EUVD-2021-0648
Malware in sbrugna...
EUVD-2023-2309
Malicious code in bioql PyPI...
EUVD-2022-38826
Malicious code in bioql PyPI...
EUVD-2022-7081
Malicious code in bioql PyPI...
CVE-2022-36064
Shescape is a shell escape package for JavaScript. An Inefficient Regular Expression Complexity vulnerability impacts users that use Shescape to escape arguments for the Unix shells Bash and Dash, or any not-officially-supported Unix shell; and/or using the escape or escapeAll functions with the...
CVE-2025-30222
Shescape is a simple shell escape library for JavaScript. Versions 1.7.2 through 2.1.1 are vulnerable to potential environment variable exposure on Windows with CMD. This impact users of Shescape on Windows that explicitly configure shell: 'cmd.exe' or shell: true using any of...
@clevercanyon/madrun (>=1.0.0 <=1.0.1), @coder/cmux (>=0.3.0-next.64.g5f200a6 <=0.5.1-next.10.g83f9dd4) +19 more potentially affected by CVE-2025-30222 via shescape (>=1.7.4 <=2.1.12)
shescape NPM version =1.7.4, =1.0.0, =0.3.0-next.64.g5f200a6, =1.0.6, =0.1.0, =0.9.22, =1.1.0, =0.1.2, =1.0.0, =0.1.24, =1.0.0, =1.5.1, =1.5.3 and more Source cves: CVE-2025-30222 Source advisory: OSV:GHSA-66PP-5P9W-Q87J...
GHSA-66PP-5P9W-Q87J Shescape has potential environment variable exposure on Windows with CMD
Impact This impact users of Shescape on Windows that explicitly configure shell: 'cmd.exe' or shell: true using any of quote/quoteAll/escape/escapeAll. An attacker may be able to get read-only access to environment variables. Example: javascript import as cp from "node:childprocess"; import...
Shescape has potential environment variable exposure on Windows with CMD
Impact This impact users of Shescape on Windows that explicitly configure shell: 'cmd.exe' or shell: true using any of quote/quoteAll/escape/escapeAll. An attacker may be able to get read-only access to environment variables. Example: javascript import as cp from "node:childprocess"; import...
CVE-2025-30222
Shescape is a simple shell escape library for JavaScript. Versions 1.7.2 through 2.1.1 are vulnerable to potential environment variable exposure on Windows with CMD. This impact users of Shescape on Windows that explicitly configure shell: 'cmd.exe' or shell: true using any of...
CVE-2025-30222 Shescape has potential environment variable exposure on Windows with CMD
Shescape is a simple shell escape library for JavaScript. Versions 1.7.2 through 2.1.1 are vulnerable to potential environment variable exposure on Windows with CMD. This impact users of Shescape on Windows that explicitly configure shell: 'cmd.exe' or shell: true using any of...
@adobe/git-server (>=1.0.1 <=1.0.5), @adobe/helix-cli (>=5.7.7 <=6.1.0) +21 more potentially affected by CVE-2023-40185 via shescape (>=1.6.1 <=1.6.6)
shescape NPM version =1.6.1, =1.0.1, =5.7.7, =2.16.1, =0.1.3, =0.0.7, =0.1.0, =2.3.2, =2.3.2, =2.3.2, =2.3.3 and more Source cves: CVE-2023-40185 Source advisory: OSV:GHSA-J55R-787P-M549...
@adobe/git-server (>=1.0.1 <=1.0.5), @adobe/helix-cli (>=5.7.7 <=6.1.0) +21 more potentially affected by CVE-2023-35931 via shescape (>=1.6.1 <=1.6.6)
shescape NPM version =1.6.1, =1.0.1, =5.7.7, =2.16.1, =0.1.3, =0.0.7, =0.1.0, =2.3.2, =2.3.2, =2.3.2, =2.3.3 and more Source cves: CVE-2023-35931 Source advisory: OSV:GHSA-3G7P-8QHX-MC8R...
PT-2022-17604 · Shescape · Shescape
Name of the Vulnerable Software and Affected Versions: shescape versions 1.5.10 through 1.6.1 Description: The issue is related to a Regular Expression Denial of Service ReDoS vulnerability via the escape function in index.js, due to the usage of insecure regex in the escapeArgBash function. This...
GHSA-JJC5-FP7P-6F8W Shescape prior to 1.5.8 vulnerable to insufficient escaping of line feeds for CMD
Impact This impacts users that use Shescape any API function to escape arguments for cmd.exe on Windows. An attacker can omit all arguments following their input by including a line feed character '\n' in the payload. Example: javascript import cp from "node:childprocess"; import as shescape from...
PT-2022-20591 · Shescape · Shescape
Name of the Vulnerable Software and Affected Versions: Shescape versions prior to 1.5.8 Description: The issue impacts users of Shescape who use any API function to escape arguments for cmd.exe on Windows. An attacker can omit all arguments following their input by including a line feed character...