CVE-2026-32094: CVE-2026-32094: Argument Injection via Incomplete Shell Escaping in shescape

CVE-2026-32094: Argument Injection via Incomplete Shell Escaping in shescape

Vulnerability ID: CVE-2026-32094
CVSS Score: 6.9
Published: 2026-03-11

The shescape library prior to version 2.1.10 fails to properly escape square brackets when targeting Unix-like shells. This omission allows attackers to leverage shell pathname expansion (globbing) to perform argument injection attacks, potentially exposing sensitive local files.

TL;DR

shescape < 2.1.10 is vulnerable to argument injection due to unescaped square brackets, allowing attackers to exploit shell globbing for unauthorized file access.

---

⚠️ Exploit Status: POC

Technical Details

• CWE: CWE-200
• Attack Vector: Network
• CVSS v4.0: 6.9
• Exploit Status: Proof of Concept
• CISA KEV: False
• Impact: Information Exposure

Affected Systems

• shescape < 2.1.10
• shescape: < 2.1.10 (Fixed in: 2.1.10)

Code Analysis

Commit: 6add105

Fix missing bracket escaping in Unix shells

Mitigation Strategies

• Upgrade shescape to version 2.1.10
• Enclose all interpolated shell variables in single quotes
• Implement strict input validation to reject shell metacharacters

Remediation Steps:

1. Identify all projects utilizing shescape via npm ls shescape or yarn why shescape.
2. Update package.json to require shescape version ^2.1.10.
3. Run npm install or yarn install to update the dependency tree.
4. Review all instances of shescape.escape() usage to ensure the resulting variables are properly quoted in the final command string.

References

• GitHub Advisory: GHSA-9jfh-9xrq-4vwm
• Fix Commit: 6add105c6f6b508662bb5ae3b3bdd4c9bcebf37a
• MITRE CWE-200

---

Read the full report for CVE-2026-32094 on our website for more details including interactive diagrams and full exploit analysis.