Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/shescape@0.1.0
Typenpm
Namespace
Nameshescape
Version0.1.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.1.10
Latest_non_vulnerable_version2.1.10
Affected_by_vulnerabilities
0
url VCID-8tmm-r9hx-t7gh
vulnerability_id VCID-8tmm-r9hx-t7gh
summary 
Cleartext Storage of Sensitive Information in an Environment Variable
Shescape is a simple shell escape library for JavaScript. An attacker may be able to get read-only access to environment variables. This bug has been patched in version 1.7.1.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-35931
reference_id
reference_type
scores
0
value 0.00464
scoring_system epss
scoring_elements 0.64712
published_at 2026-06-06T12:55:00Z
1
value 0.00464
scoring_system epss
scoring_elements 0.64702
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-35931
1
reference_url https://github.com/ericcornelissen/shescape
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/ericcornelissen/shescape
2
reference_url https://github.com/ericcornelissen/shescape/commit/d0fce70f987ac0d8331f93cb45d47e79436173ac
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-05T16:08:36Z/
url https://github.com/ericcornelissen/shescape/commit/d0fce70f987ac0d8331f93cb45d47e79436173ac
3
reference_url https://github.com/ericcornelissen/shescape/pull/982
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-05T16:08:36Z/
url https://github.com/ericcornelissen/shescape/pull/982
4
reference_url https://github.com/ericcornelissen/shescape/releases/tag/v1.7.1
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-05T16:08:36Z/
url https://github.com/ericcornelissen/shescape/releases/tag/v1.7.1
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-35931
reference_id CVE-2023-35931
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-35931
6
reference_url https://github.com/advisories/GHSA-3g7p-8qhx-mc8r
reference_id GHSA-3g7p-8qhx-mc8r
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3g7p-8qhx-mc8r
7
reference_url https://github.com/ericcornelissen/shescape/security/advisories/GHSA-3g7p-8qhx-mc8r
reference_id GHSA-3g7p-8qhx-mc8r
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-05T16:08:36Z/
url https://github.com/ericcornelissen/shescape/security/advisories/GHSA-3g7p-8qhx-mc8r
fixed_packages
0
url pkg:npm/shescape@1.7.1
purl pkg:npm/shescape@1.7.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cy6p-xc3p-wbe1
1
vulnerability VCID-emqt-chqk-wug3
2
vulnerability VCID-wpfp-cjd5-87g2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/shescape@1.7.1
aliases CVE-2023-35931, GHSA-3g7p-8qhx-mc8r
risk_score 1.4
exploitability 0.5
weighted_severity 2.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8tmm-r9hx-t7gh
1
url VCID-afhu-wkta-q3et
vulnerability_id VCID-afhu-wkta-q3et
summary 
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
shescape is a simple shell escape package for JavaScript. In shescape, anyone using _Shescape_ to defend against shell injection may still be vulnerable against shell injection if the attacker manages to insert a into the payload. For an example see the referenced GitHub Security Advisory. The problem has been patched No further changes are required.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-21384
reference_id
reference_type
scores
0
value 0.00165
scoring_system epss
scoring_elements 0.3736
published_at 2026-06-05T12:55:00Z
1
value 0.00165
scoring_system epss
scoring_elements 0.37366
published_at 2026-06-06T12:55:00Z
2
value 0.00165
scoring_system epss
scoring_elements 0.37269
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-21384
1
reference_url https://github.com/ericcornelissen/shescape/commit/07a069a66423809cbedd61d980c11ca44a29ea2b
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/ericcornelissen/shescape/commit/07a069a66423809cbedd61d980c11ca44a29ea2b
2
reference_url https://github.com/ericcornelissen/shescape/releases/tag/v1.1.3
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/ericcornelissen/shescape/releases/tag/v1.1.3
3
reference_url https://github.com/ericcornelissen/shescape/security/advisories/GHSA-f2rp-38vg-j3gh
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/ericcornelissen/shescape/security/advisories/GHSA-f2rp-38vg-j3gh
4
reference_url https://www.npmjs.com/package/shescape
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/package/shescape
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-21384
reference_id CVE-2021-21384
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-21384
6
reference_url https://github.com/advisories/GHSA-f2rp-38vg-j3gh
reference_id GHSA-f2rp-38vg-j3gh
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-f2rp-38vg-j3gh
fixed_packages
0
url pkg:npm/shescape@1.1.3
purl pkg:npm/shescape@1.1.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8tmm-r9hx-t7gh
1
vulnerability VCID-cy6p-xc3p-wbe1
2
vulnerability VCID-emqt-chqk-wug3
3
vulnerability VCID-px7h-1hh9-wuhs
4
vulnerability VCID-wpfp-cjd5-87g2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/shescape@1.1.3
aliases CVE-2021-21384, GHSA-f2rp-38vg-j3gh
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-afhu-wkta-q3et
2
url VCID-cy6p-xc3p-wbe1
vulnerability_id VCID-cy6p-xc3p-wbe1
summary 
Withdrawn Advisory: Shescape has possible misidentification of shell due to link chains
This impacts users of Shescape that configure their `shell` to point to a file on disk that is a link to a link. The precise result of being affected depends on the actual shell used and incorrect shell identified by Shescape.

In particular, an attacker may be able to bypass escaping for the shell being used. This can result, for example, in exposure of sensitive information, consider the following proof of concept (targeting Shescape v2):

```javascript
import fs from "node:fs";
import { exec } from "node:child_process";

import { Shescape } from "shescape";
import which from "which";

/* 1. Set up */
const shell = which.sync("bash");
const linkToShell = "./csh";
const linkToLink = "./link";

fs.rmSync(linkToLink, { force: true });
fs.rmSync(linkToShell, { force: true });
fs.symlinkSync(shell, linkToShell);
fs.symlinkSync(linkToShell, linkToLink);

/* 2. Misconfiguration */
const execOptions = {
shell: linkToLink,
};

const shescape = new Shescape({
shell: execOptions.shell,
});

/* 3. Payload */
const userInput = "a=:~";

/* 4. Attack example */
exec(
`echo Hello ${shescape.escape(userInput)}`,
{ shell: execOptions.shell },
(error, stdout) => {
fs.rmSync(linkToLink);
fs.rmSync(linkToShell);

if (error) {
console.error(`An error occurred: ${error}`);
} else {
console.log(stdout);
// Output:  "Hello a=:/home/user"
}
},
);
```
references
0
reference_url https://github.com/ericcornelissen/shescape
reference_id
reference_type
scores
0
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/ericcornelissen/shescape
1
reference_url https://github.com/ericcornelissen/shescape/pull/2388
reference_id
reference_type
scores
0
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/ericcornelissen/shescape/pull/2388
2
reference_url https://github.com/ericcornelissen/shescape/releases/tag/v2.1.9
reference_id
reference_type
scores
0
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/ericcornelissen/shescape/releases/tag/v2.1.9
3
reference_url https://github.com/github/advisory-database/pull/7206
reference_id
reference_type
scores
0
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/github/advisory-database/pull/7206
4
reference_url https://www.npmjs.com/package/shescape/v/2.1.9
reference_id
reference_type
scores
0
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/package/shescape/v/2.1.9
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-30916
reference_id CVE-2026-30916
reference_type
scores
0
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-30916
6
reference_url https://github.com/advisories/GHSA-6f6w-6j58-rq76
reference_id GHSA-6f6w-6j58-rq76
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6f6w-6j58-rq76
7
reference_url https://github.com/ericcornelissen/shescape/security/advisories/GHSA-6f6w-6j58-rq76
reference_id GHSA-6f6w-6j58-rq76
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/ericcornelissen/shescape/security/advisories/GHSA-6f6w-6j58-rq76
fixed_packages
0
url pkg:npm/shescape@2.1.9
purl pkg:npm/shescape@2.1.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-wpfp-cjd5-87g2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/shescape@2.1.9
aliases CVE-2026-30916, GHSA-6f6w-6j58-rq76
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cy6p-xc3p-wbe1
3
url VCID-emqt-chqk-wug3
vulnerability_id VCID-emqt-chqk-wug3
summary Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in shescape.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-40185
reference_id
reference_type
scores
0
value 0.00092
scoring_system epss
scoring_elements 0.2588
published_at 2026-06-06T12:55:00Z
1
value 0.00092
scoring_system epss
scoring_elements 0.25888
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-40185
1
reference_url https://github.com/ericcornelissen/shescape
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/ericcornelissen/shescape
2
reference_url https://github.com/ericcornelissen/shescape/commit/0b976dab645abf45ffd85e74a8c6e51ee2f42d63
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
1
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-30T19:09:19Z/
url https://github.com/ericcornelissen/shescape/commit/0b976dab645abf45ffd85e74a8c6e51ee2f42d63
3
reference_url https://github.com/ericcornelissen/shescape/pull/1142
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
1
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-30T19:09:19Z/
url https://github.com/ericcornelissen/shescape/pull/1142
4
reference_url https://github.com/ericcornelissen/shescape/releases/tag/v1.7.4
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
1
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-30T19:09:19Z/
url https://github.com/ericcornelissen/shescape/releases/tag/v1.7.4
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-40185
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-40185
6
reference_url https://github.com/advisories/GHSA-j55r-787p-m549
reference_id GHSA-j55r-787p-m549
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-j55r-787p-m549
7
reference_url https://github.com/ericcornelissen/shescape/security/advisories/GHSA-j55r-787p-m549
reference_id GHSA-j55r-787p-m549
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
1
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-30T19:09:19Z/
url https://github.com/ericcornelissen/shescape/security/advisories/GHSA-j55r-787p-m549
fixed_packages
0
url pkg:npm/shescape@1.7.4
purl pkg:npm/shescape@1.7.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cy6p-xc3p-wbe1
1
vulnerability VCID-nfa3-zn9d-s7f9
2
vulnerability VCID-wpfp-cjd5-87g2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/shescape@1.7.4
aliases CVE-2023-40185, GHSA-j55r-787p-m549
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-emqt-chqk-wug3
4
url VCID-px7h-1hh9-wuhs
vulnerability_id VCID-px7h-1hh9-wuhs
summary 
Shescape prior to 1.5.8 vulnerable to insufficient escaping of line feeds for CMD
### Impact

This impacts users that use Shescape (any API function) to escape arguments for **cmd.exe** on **Windows**. An attacker can omit all arguments following their input by including a line feed character (`'\n'`) in the payload. Example:

```javascript
import cp from "node:child_process";
import * as shescape from "shescape";

// 1. Prerequisites
const options = {
  shell: "cmd.exe",
};

// 2. Attack
const payload = "attacker\n";

// 3. Usage
let escapedPayload;
escapedPayload = shescape.escape(payload, options);
// Or
escapedPayload = shescape.escapeAll([payload], options)[0];
// Or
escapedPayload = shescape.quote(payload, options);
// Or
escapedPayload = shescape.quoteAll([payload], options)[0];

cp.execSync(`echo Hello ${escapedPayload}! How are you doing?`, options);
// Outputs:  "Hello attacker"
```

> **Note**: `execSync` is just illustrative here, all of `exec`, `execFile`, `execFileSync`, `fork`, `spawn`, and `spawnSync` can be attacked using a line feed character if CMD is the shell being used.

### Patches

This bug has been patched in [v1.5.8] which you can upgrade to now. No further changes are required.

### Workarounds

Alternatively, line feed characters (`'\n'`) can be stripped out manually or the user input can be made the last argument (this only limits the impact).

### References

- https://github.com/ericcornelissen/shescape/pull/332
- https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8

### For more information

If you have any questions or comments about this advisory:

- Comment on https://github.com/ericcornelissen/shescape/pull/332
- Open an issue at https://github.com/ericcornelissen/shescape/issues (_New issue_ > _Question_ > _Get started_)

[v1.5.8]: https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-31179
reference_id
reference_type
scores
0
value 0.00625
scoring_system epss
scoring_elements 0.70608
published_at 2026-06-06T12:55:00Z
1
value 0.00625
scoring_system epss
scoring_elements 0.70598
published_at 2026-06-05T12:55:00Z
2
value 0.00625
scoring_system epss
scoring_elements 0.70556
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-31179
1
reference_url https://github.com/ericcornelissen/shescape
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/ericcornelissen/shescape
2
reference_url https://github.com/ericcornelissen/shescape/commit/aceea7358f7222984e21260381ebc5ec4543b76f
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/ericcornelissen/shescape/commit/aceea7358f7222984e21260381ebc5ec4543b76f
3
reference_url https://github.com/ericcornelissen/shescape/pull/332
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:15Z/
url https://github.com/ericcornelissen/shescape/pull/332
4
reference_url https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:15Z/
url https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8
5
reference_url https://github.com/ericcornelissen/shescape/security/advisories/GHSA-jjc5-fp7p-6f8w
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:15Z/
url https://github.com/ericcornelissen/shescape/security/advisories/GHSA-jjc5-fp7p-6f8w
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-31179
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-31179
7
reference_url https://github.com/advisories/GHSA-jjc5-fp7p-6f8w
reference_id GHSA-jjc5-fp7p-6f8w
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jjc5-fp7p-6f8w
fixed_packages
0
url pkg:npm/shescape@1.5.8
purl pkg:npm/shescape@1.5.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7x9z-rjk1-j7d2
1
vulnerability VCID-8tmm-r9hx-t7gh
2
vulnerability VCID-cy6p-xc3p-wbe1
3
vulnerability VCID-emqt-chqk-wug3
4
vulnerability VCID-wpfp-cjd5-87g2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/shescape@1.5.8
aliases CVE-2022-31179, GHSA-jjc5-fp7p-6f8w, GMS-2022-3205
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-px7h-1hh9-wuhs
5
url VCID-wpfp-cjd5-87g2
vulnerability_id VCID-wpfp-cjd5-87g2
summary 
Shescape escape() leaves bracket glob expansion active on Bash, BusyBox, and Dash
`Shescape#escape()` does not escape square-bracket glob syntax for Bash, BusyBox `sh`, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-controlled value like `secret[12]` to expand into multiple filesystem matches instead of a single literal argument, turning one argument into multiple trusted-pathname matches.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-32094
reference_id
reference_type
scores
0
value 0.00056
scoring_system epss
scoring_elements 0.17732
published_at 2026-06-06T12:55:00Z
1
value 0.00056
scoring_system epss
scoring_elements 0.17739
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-32094
1
reference_url https://github.com/ericcornelissen/shescape
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ericcornelissen/shescape
2
reference_url https://github.com/ericcornelissen/shescape/commit/6add105c6f6b508662bb5ae3b3bdd4c9bcebf37a
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T19:54:11Z/
url https://github.com/ericcornelissen/shescape/commit/6add105c6f6b508662bb5ae3b3bdd4c9bcebf37a
3
reference_url https://github.com/ericcornelissen/shescape/pull/2410
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ericcornelissen/shescape/pull/2410
4
reference_url https://github.com/ericcornelissen/shescape/releases/tag/v2.1.10
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ericcornelissen/shescape/releases/tag/v2.1.10
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-32094
reference_id CVE-2026-32094
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-32094
6
reference_url https://github.com/advisories/GHSA-9jfh-9xrq-4vwm
reference_id GHSA-9jfh-9xrq-4vwm
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9jfh-9xrq-4vwm
7
reference_url https://github.com/ericcornelissen/shescape/security/advisories/GHSA-9jfh-9xrq-4vwm
reference_id GHSA-9jfh-9xrq-4vwm
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T19:54:11Z/
url https://github.com/ericcornelissen/shescape/security/advisories/GHSA-9jfh-9xrq-4vwm
fixed_packages
0
url pkg:npm/shescape@2.1.10
purl pkg:npm/shescape@2.1.10
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/shescape@2.1.10
aliases CVE-2026-32094, GHSA-9jfh-9xrq-4vwm
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wpfp-cjd5-87g2
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/shescape@0.1.0