CVE-2026-32094

Shescape is a simple shell escape library for JavaScript. Prior to 2.1.10, Shescape#escape() does not escape square-bracket glob syntax for Bash, BusyBox sh, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-controlled value like secret[12] to expand into multiple filesystem matches instead of a single literal argument, turning one argument into multiple trusted-pathname matches. This vulnerability is fixed in 2.1.10.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/ericcornelissen/shescape/commit/6add105c6f6b508662bb5ae3b3bdd4c9bcebf37a	Patch
https://github.com/ericcornelissen/shescape/security/advisories/GHSA-9jfh-9xrq-4vwm	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:shescape_project:shescape:*:*:*:*:*:node.js:*:*

History

16 Mar 2026, 17:37

Type	Values Removed	Values Added
Summary		(es) Shescape es una sencilla biblioteca de escape de shell para JavaScript. Antes de la versión 2.1.10, Shescape#escape() no escapa la sintaxis glob de corchetes para Bash, BusyBox sh y Dash. Las aplicaciones que interpolan el valor de retorno directamente en una cadena de comando de shell pueden hacer que un valor controlado por un atacante, como secret[12], se expanda en múltiples coincidencias del sistema de archivos en lugar de un único argumento literal, convirtiendo un argumento en múltiples coincidencias de rutas de confianza. Esta vulnerabilidad está corregida en la versión 2.1.10.
References	~~() https://github.com/ericcornelissen/shescape/commit/6add105c6f6b508662bb5ae3b3bdd4c9bcebf37a -~~	() https://github.com/ericcornelissen/shescape/commit/6add105c6f6b508662bb5ae3b3bdd4c9bcebf37a - Patch
References	~~() https://github.com/ericcornelissen/shescape/security/advisories/GHSA-9jfh-9xrq-4vwm -~~	() https://github.com/ericcornelissen/shescape/security/advisories/GHSA-9jfh-9xrq-4vwm - Exploit, Vendor Advisory
CPE		cpe:2.3:a:shescape_project:shescape::::::node.js::*
CWE		NVD-CWE-noinfo
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
First Time		Shescape Project Shescape Project shescape

11 Mar 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-11 20:16

Updated : 2026-03-16 17:37

NVD link : CVE-2026-32094

Mitre link : CVE-2026-32094

CVE.ORG link : CVE-2026-32094

JSON object : View

Products Affected

shescape_project

shescape

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

NVD-CWE-noinfo

6.5 /10