PT-2026-44550 · Pypi · Shamefile

Publicado

2026-05-28

Atualizado

2026-05-28

CVE-2026-47144

CVSS v3.1

5.5

Média

Vetor

AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Impact

A path traversal vulnerability in shame next allows an attacker-controlled shamefile.yaml to disclose contents of files outside the repository, one line at a time, to the terminal of a user who runs the command. See patch commit for technical details.

Patches

Fixed in 0.1.7. Upgrade to either 0.1.7 or later versions to incorporate the patch.

Workarounds

Do not run shame next against untrusted shamefile.yaml. Use shame me --dry-run for CI validation.

Resources

Patch commit: https://github.com/BKDDFS/shamefile/commit/77b0aeea318503582818c708518c601fedc43557
Pull request: https://github.com/BKDDFS/shamefile/pull/80
Release: https://github.com/BKDDFS/shamefile/releases/tag/v0.1.7
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Correção

Path traversal

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-22

Identificadores relacionados

CVE-2026-47144

GHSA-X6P3-76F2-XXVH

Produtos afetados

Shamefile

PT-2026-44550 · Pypi · Shamefile

CVE-2026-47144

Impact

Patches

Workarounds

Resources

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 6