{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32094", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-10T22:02:38.853Z", "datePublished": "2026-03-11T19:50:10.617Z", "dateUpdated": "2026-03-12T19:54:17.725Z"}, "containers": {"cna": {"title": "Shescape escape() leaves bracket glob expansion active on Bash, BusyBox, and Dash", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-9jfh-9xrq-4vwm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-9jfh-9xrq-4vwm"}, {"name": "https://github.com/ericcornelissen/shescape/commit/6add105c6f6b508662bb5ae3b3bdd4c9bcebf37a", "tags": ["x_refsource_MISC"], "url": "https://github.com/ericcornelissen/shescape/commit/6add105c6f6b508662bb5ae3b3bdd4c9bcebf37a"}], "affected": [{"vendor": "ericcornelissen", "product": "shescape", "versions": [{"version": "< 2.1.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T19:50:10.617Z"}, "descriptions": [{"lang": "en", "value": "Shescape is a simple shell escape library for JavaScript. Prior to 2.1.10, Shescape#escape() does not escape square-bracket glob syntax for Bash, BusyBox sh, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-controlled value like secret[12] to expand into multiple filesystem matches instead of a single literal argument, turning one argument into multiple trusted-pathname matches. This vulnerability is fixed in 2.1.10."}], "source": {"advisory": "GHSA-9jfh-9xrq-4vwm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T19:54:11.107416Z", "id": "CVE-2026-32094", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T19:54:17.725Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32094", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T19:54:11.107416Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T19:54:14.665Z"}}], "cna": {"title": "Shescape escape() leaves bracket glob expansion active on Bash, BusyBox, and Dash", "source": {"advisory": "GHSA-9jfh-9xrq-4vwm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "ericcornelissen", "product": "shescape", "versions": [{"status": "affected", "version": "< 2.1.10"}]}], "references": [{"url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-9jfh-9xrq-4vwm", "name": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-9jfh-9xrq-4vwm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ericcornelissen/shescape/commit/6add105c6f6b508662bb5ae3b3bdd4c9bcebf37a", "name": "https://github.com/ericcornelissen/shescape/commit/6add105c6f6b508662bb5ae3b3bdd4c9bcebf37a", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Shescape is a simple shell escape library for JavaScript. Prior to 2.1.10, Shescape#escape() does not escape square-bracket glob syntax for Bash, BusyBox sh, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-controlled value like secret[12] to expand into multiple filesystem matches instead of a single literal argument, turning one argument into multiple trusted-pathname matches. This vulnerability is fixed in 2.1.10."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T19:50:10.617Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32094", "state": "PUBLISHED", "dateUpdated": "2026-03-12T19:54:17.725Z", "dateReserved": "2026-03-10T22:02:38.853Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T19:50:10.617Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:shescape_project:shescape:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "DC87C55D-063B-467F-8917-DA7AB5CFE865", "versionEndExcluding": "2.1.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Shescape is a simple shell escape library for JavaScript. Prior to 2.1.10, Shescape#escape() does not escape square-bracket glob syntax for Bash, BusyBox sh, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-controlled value like secret[12] to expand into multiple filesystem matches instead of a single literal argument, turning one argument into multiple trusted-pathname matches. This vulnerability is fixed in 2.1.10."}, {"lang": "es", "value": "Shescape es una sencilla biblioteca de escape de shell para JavaScript. Antes de la versi\u00f3n 2.1.10, Shescape#escape() no escapa la sintaxis glob de corchetes para Bash, BusyBox sh y Dash. Las aplicaciones que interpolan el valor de retorno directamente en una cadena de comando de shell pueden hacer que un valor controlado por un atacante, como secret[12], se expanda en m\u00faltiples coincidencias del sistema de archivos en lugar de un \u00fanico argumento literal, convirtiendo un argumento en m\u00faltiples coincidencias de rutas de confianza. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 2.1.10."}], "id": "CVE-2026-32094", "lastModified": "2026-03-16T17:37:31.180", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-11T20:16:17.760", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/ericcornelissen/shescape/commit/6add105c6f6b508662bb5ae3b3bdd4c9bcebf37a"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-9jfh-9xrq-4vwm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.10)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "shescape", "source": "cna", "vendor": "ericcornelissen"}, "product": "shescape", "vendor": "ericcornelissen"}], "analysis": {"en": {"generated_at": "2026-03-17T17:52:27.471381+00:00", "value": {"mitigation_remediation": ["Update shescape to version 2.1.10 or newer", "Verify that the output of escape() is used safely or passed to non\u2011shell contexts", "Implement additional input validation to prevent unintended shell globbing"], "summary": {"action": "Apply Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The flaw affects the shescape JavaScript library in all releases prior to 2.1.10. The affected CPE is cpe:2.3:a:shescape_project:shescape:*:*:*:*:*:node.js:*:* . Any Node.js application that uses shescape\u2019s escape() function to build shell command strings and then executes those commands is vulnerable. The weakness does not arise from the shell itself, but from the improper escaping performed by the library when later interpreted by Bash, BusyBox sh, or Dash.", "description_and_impact": "Shescape\u2019s escape() function, before version 2.1.10, fails to escape square\u2011bracket glob syntax for Bash, BusyBox sh, and Dash. Because an attacker can supply a string such as secret[12] that is passed directly into a shell command, the shell performs glob expansion and replaces the token with multiple filesystem matches instead of a single literal argument. This results in unintended disclosure of filename information or presence of files. The nature of the weakness aligns with CWE\u2011200 Information Exposure. The primary impact, while not allowing arbitrary code execution, is that an attacker can learn sensitive filesystem details from the target environment. This impact is inferred from the description; the CVE itself does not state a direct data leak but the mechanics of glob expansion suggest information exposure.", "risk_and_exploitability": "The CVSS score of 6.9 indicates medium severity. An EPSS score of less than 1% suggests very low likelihood of exploitation in the near term, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to require that an attacker can provide untrusted input to escape() and that the application unconditionally runs the resulting string through a shell interpreter; typical paths could involve local or remote injection of data that reaches the escape() call. Because the vulnerability only causes accidental glob expansion and does not grant arbitrary command execution, the exploitable damage is limited to information disclosure and potential misuse of trusted paths, but the risk remains significant for applications handling sensitive data."}}}}, "created": "2026-03-12T09:56:24.683221+00:00", "updated": "2026-03-20T15:37:29.801062+00:00", "vendors": ["ericcornelissen", "ericcornelissen$PRODUCT$shescape"]}