CVE-2026-30916

Shescape is a simple shell escape library for JavaScript. Prior to 2.1.9, an attacker may be able to bypass escaping for the shell being used. This can result, for example, in exposure of sensitive information. This impacts users of Shescape that configure their shell to point to a file on disk that is a link to a link. The precise result of being affected depends on the actual shell used and incorrect shell identified by Shescape. This vulnerability is fixed in 2.1.9.

CVSS

No CVSS.

References

Link	Resource
https://github.com/ericcornelissen/shescape/pull/2388
https://github.com/ericcornelissen/shescape/security/advisories/GHSA-6f6w-6j58-rq76
https://www.npmjs.com/package/shescape/v/2.1.9
https://github.com/ericcornelissen/shescape/security/advisories/GHSA-6f6w-6j58-rq76

Configurations

No configuration.

History

10 Mar 2026, 18:18

Type	Values Removed	Values Added
References	~~() https://github.com/ericcornelissen/shescape/security/advisories/GHSA-6f6w-6j58-rq76 -~~	() https://github.com/ericcornelissen/shescape/security/advisories/GHSA-6f6w-6j58-rq76 -

10 Mar 2026, 17:40

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-10 17:40

Updated : 2026-03-11 13:53

NVD link : CVE-2026-30916

Mitre link : CVE-2026-30916

CVE.ORG link : CVE-2026-30916

JSON object : View

Products Affected

No product.

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2026-30916", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-10T17:40:15.363", "references": [{"url": "https://github.com/ericcornelissen/shescape/pull/2388", "source": "security-advisories@github.com"}, {"url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-6f6w-6j58-rq76", "source": "security-advisories@github.com"}, {"url": "https://www.npmjs.com/package/shescape/v/2.1.9", "source": "security-advisories@github.com"}, {"url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-6f6w-6j58-rq76", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Shescape is a simple shell escape library for JavaScript. Prior to 2.1.9, an attacker may be able to bypass escaping for the shell being used. This can result, for example, in exposure of sensitive information. This impacts users of Shescape that configure their shell to point to a file on disk that is a link to a link. The precise result of being affected depends on the actual shell used and incorrect shell identified by Shescape. This vulnerability is fixed in 2.1.9."}], "lastModified": "2026-03-11T13:53:47.157", "sourceIdentifier": "security-advisories@github.com"}