CVE-2026-30916

Name of the Vulnerable Software and Affected Versions Shescape versions prior to 2.1.9

Description Shescape is a JavaScript shell escape library. A flaw exists where an attacker may be able to bypass escaping for the shell being used, potentially leading to exposure of sensitive information. This issue impacts users who configure the shell option to point to a file on disk that is a symbolic link to another symbolic link. The outcome of a successful exploit depends on the specific shell in use and how Shescape identifies it. The provided proof of concept demonstrates the bypass using a crafted payload with the userInput variable and the shescape.escape() function. The example uses the /api/v1/exec endpoint to execute commands.

Recommendations Versions prior to 2.1.9 should be upgraded to version 2.1.9 or later. If upgrading is not possible, avoid using a shell or ensure the configured shell path is not a link to a link.