MEDIUM🇬🇧 English

CVE-2026-32094

CVSS 6.9v4.0pub. 2026-03-11upd. 2026-03-16

Shescape is a simple shell escape library for JavaScript. Prior to 2.1.10, Shescape#escape() does not escape square-bracket glob syntax for Bash, BusyBox sh, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-controlled value like secret[12] to expand into multiple filesystem matches instead of a single literal argument, turning one argument into multiple trusted-pathname matches. This vulnerability is fixed in 2.1.10.

oryginał EN
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Shescape Project Shescape

    APP
    Shescape Project
    < 2.1.10
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2022-31180CRITICAL9.8ten sam produkt

Shescape is a simple shell escape package for JavaScript. Affected versions were found to have insufficient es...

CVE-2022-31179HIGH8.1ten sam produkt

Shescape is a simple shell escape package for JavaScript. Versions prior to 1.5.8 were found to be subject to ...

CVE-2023-40185MEDIUM6.5ten sam produkt

shescape is simple shell escape library for JavaScript. This may impact users that use Shescape on Windows in ...

CVE-2022-25918MEDIUM5.3ten sam produkt

The package shescape from 1.5.10 and before 1.6.1 are vulnerable to Regular Expression Denial of Service (ReDo...

CVE-2022-36064MEDIUM5.9ten sam produkt

Shescape is a shell escape package for JavaScript. An Inefficient Regular Expression Complexity vulnerability ...