CVE-2026-32094: CVE-2026-32094: Argument Injection via Incomplete Shell Escaping in shescape - CVE Security Report

CVE-2026-32094.md

CVE-2026-32094: CVE-2026-32094: Argument Injection via Incomplete Shell Escaping in shescape

CVSS Score: 6.9 Published: 2026-03-11 Full Report: https://cvereports.com/reports/CVE-2026-32094

Summary

The shescape library prior to version 2.1.10 fails to properly escape square brackets when targeting Unix-like shells. This omission allows attackers to leverage shell pathname expansion (globbing) to perform argument injection attacks, potentially exposing sensitive local files.

TL;DR

shescape < 2.1.10 is vulnerable to argument injection due to unescaped square brackets, allowing attackers to exploit shell globbing for unauthorized file access.

Exploit Status: POC

Technical Details

• CWE: CWE-200
• Attack Vector: Network
• CVSS v4.0: 6.9
• Exploit Status: Proof of Concept
• CISA KEV: False
• Impact: Information Exposure

Affected Systems

• shescape < 2.1.10
• shescape: < 2.1.10 (Fixed in: 2.1.10)

Mitigation

• Upgrade shescape to version 2.1.10
• Enclose all interpolated shell variables in single quotes
• Implement strict input validation to reject shell metacharacters

Remediation Steps:

1. Identify all projects utilizing shescape via npm ls shescape or yarn why shescape.
2. Update package.json to require shescape version ^2.1.10.
3. Run npm install or yarn install to update the dependency tree.
4. Review all instances of shescape.escape() usage to ensure the resulting variables are properly quoted in the final command string.

References

• GitHub Advisory: GHSA-9jfh-9xrq-4vwm
• Fix Commit: 6add105c6f6b508662bb5ae3b3bdd4c9bcebf37a
• MITRE CWE-200

---

Generated by CVEReports - Automated Vulnerability Intelligence