3 matches found
@adobe/git-server (>=1.0.1 <=1.0.5), @adobe/helix-cli (>=5.7.7 <=6.1.0) +29 more potentially affected by CVE-2026-32094 via shescape (>=1.6.1 <=2.1.0)
shescape NPM version =1.6.1, =1.0.1, =5.7.7, =2.16.1, =1.0.0, =0.1.3, =0.0.7, =0.1.0, =2.3.2, =2.3.2, =2.5.3, =2.6.0 - @snyk/snyk-hex-plugin =1.1.6 - @w3sec/w3security-gradle-plugin =2.27.0 - @xeserv/nixexpr =0.1.0 - addons-linter =1.15.3 and more Source cves: CVE-2026-32094 Source advisory:...
CVE-2026-32094 Shescape escape() leaves bracket glob expansion active on Bash, BusyBox, and Dash
Shescape is a simple shell escape library for JavaScript. Prior to 2.1.10, Shescapeescape does not escape square-bracket glob syntax for Bash, BusyBox sh, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-controlled value like...
CVE-2026-32094
creationtimestamp| type| source ---|---|--- 2026-03-10 20:00:28+00:00| published-proof-of-concept| https://github.com/ericcornelissen/shescape/security/advisories/GHSA-9jfh-9xrq-4vwm 2026-03-11 19:16:17+00:00| seen| https://www.incibe.es/incibe-cert/alerta-temprana/vulnerabilidades/cve-2026-32094...