PT-2026-59685 · Pypi · Shamefile

Published

2026-07-13

·

Updated

2026-07-13

CVSS v3.1

5.5

Medium

VectorAV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Impact

A path traversal vulnerability in shame next allows an attacker-controlled shamefile.yaml to disclose contents of files outside the repository, one line at a time, to the terminal of a user who runs the command. See patch commit for technical details.

Patches

Fixed in 0.1.7. Upgrade to either 0.1.7 or later versions to incorporate the patch.

Workarounds

Do not run shame next against untrusted shamefile.yaml. Use shame me --dry-run for CI validation.

Resources

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Related Identifiers

PYSEC-2026-3065

Affected Products

Shamefile