Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.9
Shescape 2.1.8 and earlier: Sensitive information exposed through shell bypass
GHSA-6f6w-6j58-rq76
CVE-2026-30916
Summary
If you're using Shescape, an attacker could potentially access sensitive information if you've configured it to use a shell that points to a file on your disk. This is a concern if you have a complex shell setup. Update to version 2.1.9 to fix this issue.
What to do
- Update shescape to version 2.1.9.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | shescape | <= 2.1.8 | 2.1.9 |
Original title
Shescape is a simple shell escape library for JavaScript. Prior to 2.1.9, an attacker may be able to bypass escaping for the shell being used. This can result, for example, in exposure of sensitive...
Original description
Shescape is a simple shell escape library for JavaScript. Prior to 2.1.9, an attacker may be able to bypass escaping for the shell being used. This can result, for example, in exposure of sensitive information. This impacts users of Shescape that configure their shell to point to a file on disk that is a link to a link. The precise result of being affected depends on the actual shell used and incorrect shell identified by Shescape. This vulnerability is fixed in 2.1.9.
ghsa CVSS4.0
2.9
Vulnerability type
CWE-200
Information Exposure
- https://github.com/ericcornelissen/shescape/security/advisories/GHSA-6f6w-6j58-r...
- https://github.com/ericcornelissen/shescape/pull/2388
- https://github.com/ericcornelissen/shescape/releases/tag/v2.1.9
- https://github.com/advisories/GHSA-6f6w-6j58-rq76
- https://www.npmjs.com/package/shescape/v/2.1.9
- https://nvd.nist.gov/vuln/detail/CVE-2026-30916
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 7 Mar 2026