PT-2026-24813 · Ericcornelissen+3 · Shescape
Anyzy2003
·
Published
2026-03-11
·
Updated
2026-03-16
·
CVE-2026-32094
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Shescape versions prior to 2.1.10
Description
Shescape is a JavaScript library designed for shell escaping. Before version 2.1.10, the
Shescape#escape() function did not properly escape square bracket glob syntax for Bash, BusyBox sh, and Dash shells. This could allow an attacker-controlled value, such as secret[12], to expand into multiple filesystem matches instead of being treated as a single literal argument when interpolated directly into a shell command string. This can lead to argument injection, potentially altering command behavior, targeting unintended files, or leaking filenames. The issue stems from the lack of escaping for brackets in the Unix escape helpers within the library's code.Recommendations
Update Shescape to version 2.1.10 or later.
Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Shescape