CVE-2026-44972

Name of the Vulnerable Software and Affected Versions GuardDog versions 2.6.0 through 2.9.0

Description GuardDog includes attacker-controlled filenames, file locations, messages, and code snippets in its default human-readable output without escaping terminal control characters. This allows a malicious package to inject ANSI or OSC escape sequences into analyst terminals or CI logs. The issue occurs because the human-readable reporter prints values directly from the finding formatter without applying escaping for control characters such as x1b. This can be exploited to clear or rewrite terminal output, inject spoofed log content in CI, or emit clickable OSC 8 hyperlinks and title changes in compatible terminals.

Recommendations For versions 2.6.0 through 2.9.0, escape or strip terminal control characters before rendering package names, file paths, messages, and code snippets in human-readable output.