{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30916", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-07T16:40:05.884Z", "datePublished": "2026-03-09T22:48:14.873Z", "dateUpdated": "2026-03-10T13:55:23.217Z"}, "containers": {"cna": {"title": "Shescape has possible misidentification of shell due to link chains", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.9, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-6f6w-6j58-rq76", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-6f6w-6j58-rq76"}, {"name": "https://github.com/ericcornelissen/shescape/pull/2388", "tags": ["x_refsource_MISC"], "url": "https://github.com/ericcornelissen/shescape/pull/2388"}, {"name": "https://www.npmjs.com/package/shescape/v/2.1.9", "tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/package/shescape/v/2.1.9"}], "affected": [{"vendor": "ericcornelissen", "product": "shescape", "versions": [{"version": "< 2.1.9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-09T22:48:14.873Z"}, "descriptions": [{"lang": "en", "value": "Shescape is a simple shell escape library for JavaScript. Prior to 2.1.9, an attacker may be able to bypass escaping for the shell being used. This can result, for example, in exposure of sensitive information. This impacts users of Shescape that configure their shell to point to a file on disk that is a link to a link. The precise result of being affected depends on the actual shell used and incorrect shell identified by Shescape. This vulnerability is fixed in 2.1.9."}], "source": {"advisory": "GHSA-6f6w-6j58-rq76", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-6f6w-6j58-rq76", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T13:55:18.499776Z", "id": "CVE-2026-30916", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T13:55:23.217Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30916", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T13:55:18.499776Z"}}}], "references": [{"url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-6f6w-6j58-rq76", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T13:55:11.150Z"}}], "cna": {"title": "Shescape has possible misidentification of shell due to link chains", "source": {"advisory": "GHSA-6f6w-6j58-rq76", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.9, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "ericcornelissen", "product": "shescape", "versions": [{"status": "affected", "version": "< 2.1.9"}]}], "references": [{"url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-6f6w-6j58-rq76", "name": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-6f6w-6j58-rq76", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ericcornelissen/shescape/pull/2388", "name": "https://github.com/ericcornelissen/shescape/pull/2388", "tags": ["x_refsource_MISC"]}, {"url": "https://www.npmjs.com/package/shescape/v/2.1.9", "name": "https://www.npmjs.com/package/shescape/v/2.1.9", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Shescape is a simple shell escape library for JavaScript. Prior to 2.1.9, an attacker may be able to bypass escaping for the shell being used. This can result, for example, in exposure of sensitive information. This impacts users of Shescape that configure their shell to point to a file on disk that is a link to a link. The precise result of being affected depends on the actual shell used and incorrect shell identified by Shescape. This vulnerability is fixed in 2.1.9."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-09T22:48:14.873Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30916", "state": "PUBLISHED", "dateUpdated": "2026-03-10T13:55:23.217Z", "dateReserved": "2026-03-07T16:40:05.884Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-09T22:48:14.873Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Shescape is a simple shell escape library for JavaScript. Prior to 2.1.9, an attacker may be able to bypass escaping for the shell being used. This can result, for example, in exposure of sensitive information. This impacts users of Shescape that configure their shell to point to a file on disk that is a link to a link. The precise result of being affected depends on the actual shell used and incorrect shell identified by Shescape. This vulnerability is fixed in 2.1.9."}], "id": "CVE-2026-30916", "lastModified": "2026-03-10T18:18:51.930", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-10T17:40:15.363", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/ericcornelissen/shescape/pull/2388"}, {"source": "security-advisories@github.com", "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-6f6w-6j58-rq76"}, {"source": "security-advisories@github.com", "url": "https://www.npmjs.com/package/shescape/v/2.1.9"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-6f6w-6j58-rq76"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.9)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "shescape", "source": "cna", "vendor": "ericcornelissen"}, "product": "shescape", "vendor": "ericcornelissen"}], "created": "2026-03-10T14:06:28.001722+00:00", "updated": "2026-03-10T14:06:28.001799+00:00", "vendors": ["ericcornelissen", "ericcornelissen$PRODUCT$shescape"]}