Description
dye is a portable and respectful color library for shell scripts. Prior to 1.1.1, certain dye template expressions would result in execution of arbitrary code. This issue was discovered and fixed by dye's author, and is not known to be exploited. This vulnerability is fixed in 1.1.1.
Published: 2026-04-06
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution via template injection
Action: Immediate Patch
AI Analysis

Impact

This vulnerability arises from an injection flaw within dye template expressions, allowing an attacker to execute arbitrary shell commands when a vulnerable expression is evaluated. The weakness aligns with CWE‑94, enabling unauthorized code execution that can compromise confidentiality, integrity, and availability of the host environment. The reported CVSS score of 6.6 indicates moderate severity.

Affected Systems

The dye color library produced by mattieb is affected. Any instance installed with a version earlier than 1.1.1 may be vulnerable if a dye expression is evaluated in a shell script.

Risk and Exploitability

The assigned severity (CVSS 6.6) reflects a moderate risk; EPSS information is unavailable, and the vulnerability is not listed in the KEV catalog. The likely attack vector is local or through scripts that process untrusted dye expressions. While there is no evidence of active exploitation, environments that execute user‑supplied or compromised scripts could be impacted if an attacker can influence the content of a dye expression.

Generated by OpenCVE AI on April 7, 2026 at 02:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade dye to version 1.1.1 or later.
  • Ensure scripts only process dye expressions from trusted sources.
  • Verify any deployments that include dye expressions are from verified, legitimate origins.

Generated by OpenCVE AI on April 7, 2026 at 02:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattieb
Mattieb dye
Vendors & Products Mattieb
Mattieb dye

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description dye is a portable and respectful color library for shell scripts. Prior to 1.1.1, certain dye template expressions would result in execution of arbitrary code. This issue was discovered and fixed by dye's author, and is not known to be exploited. This vulnerability is fixed in 1.1.1.
Title Code injection in dye template expressions
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Mattieb Dye
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T16:11:34.861Z

Reserved: 2026-04-01T18:48:58.937Z

Link: CVE-2026-35197

cve-icon Vulnrichment

Updated: 2026-04-07T16:11:28.690Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-06T20:16:27.380

Modified: 2026-04-07T13:20:11.643

Link: CVE-2026-35197

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T09:37:24Z

Weaknesses