https://vulnerability.circl.lu Contains only the most 10 recent sightings. http://www.rssboard.org/rss-specification python-feedgen en Sat, 13 Jun 2026 20:57:07 +0000 https://vulnerability.circl.lu/sighting/522b9bf4-7e3f-4cdc-ac10-82db1f7e6f52/export {"uuid": "522b9bf4-7e3f-4cdc-ac10-82db1f7e6f52", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-9277", "type": "published-proof-of-concept", "source": "https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p", "content": "", "creation_timestamp": "2026-05-22T13:22:55.000000Z"} {"uuid": "522b9bf4-7e3f-4cdc-ac10-82db1f7e6f52", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-9277", "type": "published-proof-of-concept", "source": "https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p", "content": "", "creation_timestamp": "2026-05-22T13:22:55.000000Z"} https://vulnerability.circl.lu/sighting/522b9bf4-7e3f-4cdc-ac10-82db1f7e6f52/export Fri, 22 May 2026 13:22:55 +0000 https://vulnerability.circl.lu/sighting/23d12cc0-adfa-480d-ac1d-e0e8ff1d1588/export {"uuid": "23d12cc0-adfa-480d-ac1d-e0e8ff1d1588", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9277", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mmhhsrhmds2o", "content": "CVE-2026-9277 - shell-quote `quote()` does not validate object-token shapes, allowing command injection via line terminators in `.op`\nCVE ID : CVE-2026-9277\n \n Published : May 22, 2026, 1:22 p.m. | 3\u00a0hours, 37\u00a0minutes ago\n \n Description : shell-quote's `quote()` function did n...", "creation_timestamp": "2026-05-22T17:34:40.998843Z"} {"uuid": "23d12cc0-adfa-480d-ac1d-e0e8ff1d1588", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9277", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mmhhsrhmds2o", "content": "CVE-2026-9277 - shell-quote `quote()` does not validate object-token shapes, allowing command injection via line terminators in `.op`\nCVE ID : CVE-2026-9277\n \n Published : May 22, 2026, 1:22 p.m. | 3\u00a0hours, 37\u00a0minutes ago\n \n Description : shell-quote's `quote()` function did n...", "creation_timestamp": "2026-05-22T17:34:40.998843Z"} https://vulnerability.circl.lu/sighting/23d12cc0-adfa-480d-ac1d-e0e8ff1d1588/export Fri, 22 May 2026 17:34:40 +0000 https://vulnerability.circl.lu/sighting/5f8fa135-1c7a-4eb7-99b5-9a632d20a721/export {"uuid": "5f8fa135-1c7a-4eb7-99b5-9a632d20a721", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9277", "type": "seen", "source": "https://bsky.app/profile/infosec.skyfleet.blue/post/3mmiohjvizp24", "content": "CVE-2026-9277: shell-quote before 1.8.4 command injection in quote()", "creation_timestamp": "2026-05-23T05:06:18.547696Z"} {"uuid": "5f8fa135-1c7a-4eb7-99b5-9a632d20a721", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9277", "type": "seen", "source": "https://bsky.app/profile/infosec.skyfleet.blue/post/3mmiohjvizp24", "content": "CVE-2026-9277: shell-quote before 1.8.4 command injection in quote()", "creation_timestamp": "2026-05-23T05:06:18.547696Z"} https://vulnerability.circl.lu/sighting/5f8fa135-1c7a-4eb7-99b5-9a632d20a721/export Sat, 23 May 2026 05:06:18 +0000 https://vulnerability.circl.lu/sighting/a4e18def-a160-41e0-b81c-c14d258f72c2/export {"uuid": "a4e18def-a160-41e0-b81c-c14d258f72c2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9277", "type": "seen", "source": "https://bsky.app/profile/linux.activitypub.awakari.com.ap.brid.gy/post/3mnu56ea4xh42", "content": "Ubuntu 26.04 LTS node-shell-quote Important Denial of Service CVE-2026-9277 shell-quote could be made to crash or run programs as your login if it received specially crafted input.\n\n#Ubuntu #Linux #Distribution #- #Security #Advisories\n\nOrigin | Interest | Match", "creation_timestamp": "2026-06-09T11:57:13.756478Z"} {"uuid": "a4e18def-a160-41e0-b81c-c14d258f72c2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9277", "type": "seen", "source": "https://bsky.app/profile/linux.activitypub.awakari.com.ap.brid.gy/post/3mnu56ea4xh42", "content": "Ubuntu 26.04 LTS node-shell-quote Important Denial of Service CVE-2026-9277 shell-quote could be made to crash or run programs as your login if it received specially crafted input.\n\n#Ubuntu #Linux #Distribution #- #Security #Advisories\n\nOrigin | Interest | Match", "creation_timestamp": "2026-06-09T11:57:13.756478Z"} https://vulnerability.circl.lu/sighting/a4e18def-a160-41e0-b81c-c14d258f72c2/export Tue, 09 Jun 2026 11:57:13 +0000 https://vulnerability.circl.lu/sighting/d0a58e54-6ade-4efc-93e6-d4e1d4a18f52/export {"uuid": "d0a58e54-6ade-4efc-93e6-d4e1d4a18f52", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9277", "type": "seen", "source": "https://bsky.app/profile/ferramentaslinux.bsky.social/post/3mnufvafg7c2y", "content": "\ud83d\udea8 A vulnerabilidade CVE-2026-9277 no shell-quote permitia inje\u00e7\u00e3o de comandos atrav\u00e9s de quebras de linha. Saiba mais -> tinyurl.com/y67n6kcj #Ubuntu", "creation_timestamp": "2026-06-09T14:30:05.619524Z"} {"uuid": "d0a58e54-6ade-4efc-93e6-d4e1d4a18f52", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9277", "type": "seen", "source": "https://bsky.app/profile/ferramentaslinux.bsky.social/post/3mnufvafg7c2y", "content": "\ud83d\udea8 A vulnerabilidade CVE-2026-9277 no shell-quote permitia inje\u00e7\u00e3o de comandos atrav\u00e9s de quebras de linha. Saiba mais -> tinyurl.com/y67n6kcj #Ubuntu", "creation_timestamp": "2026-06-09T14:30:05.619524Z"} https://vulnerability.circl.lu/sighting/d0a58e54-6ade-4efc-93e6-d4e1d4a18f52/export Tue, 09 Jun 2026 14:30:05 +0000 https://vulnerability.circl.lu/sighting/b14f6e24-037e-4524-b580-ebf7600e8433/export {"uuid": "b14f6e24-037e-4524-b580-ebf7600e8433", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9277", "type": "seen", "source": "https://bsky.app/profile/ferramentaslinux.bsky.social/post/3mnufvbgzfk2y", "content": "\ud83d\udea8 A vulnerabilidade CVE-2026-9277 no shell-quote permitia inje\u00e7\u00e3o de comandos atrav\u00e9s de quebras de linha. Saiba mais -> tinyurl.com/y67n6kcj #Ubuntu", "creation_timestamp": "2026-06-09T14:30:06.395058Z"} {"uuid": "b14f6e24-037e-4524-b580-ebf7600e8433", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9277", "type": "seen", "source": "https://bsky.app/profile/ferramentaslinux.bsky.social/post/3mnufvbgzfk2y", "content": "\ud83d\udea8 A vulnerabilidade CVE-2026-9277 no shell-quote permitia inje\u00e7\u00e3o de comandos atrav\u00e9s de quebras de linha. Saiba mais -> tinyurl.com/y67n6kcj #Ubuntu", "creation_timestamp": "2026-06-09T14:30:06.395058Z"} https://vulnerability.circl.lu/sighting/b14f6e24-037e-4524-b580-ebf7600e8433/export Tue, 09 Jun 2026 14:30:06 +0000 https://vulnerability.circl.lu/sighting/3ffa7d51-9f48-4d4c-ab5b-e3c45a3e6032/export {"uuid": "3ffa7d51-9f48-4d4c-ab5b-e3c45a3e6032", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9277", "type": "seen", "source": "https://gist.github.com/alon710/7c6790428586de0d6663a6b961e49e06", "content": "# CVE-2026-9277: CVE-2026-9277: OS Command Injection in shell-quote via Object-Token Line Terminator Parsing Defect\n\n> **CVSS Score:** 8.1\n> **Published:** 2026-06-09\n> **Full Report:** https://cvereports.com/reports/CVE-2026-9277\n\n## Summary\nA technical breakdown of the OS command injection vulnerability in the shell-quote NPM package (CVE-2026-9277 / GHSA-w7jw-789q-3m8p). The bug resides in the character-by-character backslash-escaping logic applied to the .op field of object-tokens within the quote() function, which fails to match and escape line terminators due to a regex matching oversight in JavaScript. This allows unauthenticated remote attackers to execute arbitrary shell commands if they can control inputs processed by this library.\n\n## TL;DR\nAn OS command injection vulnerability in shell-quote < 1.8.4 allows arbitrary command execution. The quote() function fails to escape line terminators within object-tokens due to a regular expression omission, enabling attackers to inject newlines that act as command separators in POSIX shells.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-78 / CWE-77\n- **Attack Vector**: Network (AV:N)\n- **CVSS Severity**: 8.1 (High)\n- **EPSS Score**: 0.00068\n- **Exploit Status**: Proof of Concept\n- **CISA KEV Status**: Not Listed\n\n## Affected Systems\n\n- Node.js applications running shell-quote < 1.8.4\n- **shell-quote**: >= 1.1.0, < 1.8.4 (Fixed in: `1.8.4`)\n\n## Mitigation\n\n- Upgrade shell-quote to version 1.8.4 or newer.\n- Implement input validation to ensure only string elements are passed to quote()\n- Sanitize any custom callbacks passed to parse() to prevent returning unchecked object-tokens\n\n**Remediation Steps:**\n1. Identify applications utilizing shell-quote in package.json\n2. Execute 'npm install shell-quote@1.8.4' to apply the official patch\n3. Verify dependencies recursively using 'npm audit' to ensure no transitive vulnerabilities remain\n\n## References\n\n- [https://github.com/advisories/GHSA-w7jw-789q-3m8p](https://github.com/advisories/GHSA-w7jw-789q-3m8p)\n- [https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p](https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p)\n- [http://www.openwall.com/lists/oss-security/2026/05/23/2](http://www.openwall.com/lists/oss-security/2026/05/23/2)\n- [https://github.com/ljharb/shell-quote](https://github.com/ljharb/shell-quote)\n- [https://www.npmjs.com/package/shell-quote](https://www.npmjs.com/package/shell-quote)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-9277) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-09T14:41:30.000000Z"} {"uuid": "3ffa7d51-9f48-4d4c-ab5b-e3c45a3e6032", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9277", "type": "seen", "source": "https://gist.github.com/alon710/7c6790428586de0d6663a6b961e49e06", "content": "# CVE-2026-9277: CVE-2026-9277: OS Command Injection in shell-quote via Object-Token Line Terminator Parsing Defect\n\n> **CVSS Score:** 8.1\n> **Published:** 2026-06-09\n> **Full Report:** https://cvereports.com/reports/CVE-2026-9277\n\n## Summary\nA technical breakdown of the OS command injection vulnerability in the shell-quote NPM package (CVE-2026-9277 / GHSA-w7jw-789q-3m8p). The bug resides in the character-by-character backslash-escaping logic applied to the .op field of object-tokens within the quote() function, which fails to match and escape line terminators due to a regex matching oversight in JavaScript. This allows unauthenticated remote attackers to execute arbitrary shell commands if they can control inputs processed by this library.\n\n## TL;DR\nAn OS command injection vulnerability in shell-quote < 1.8.4 allows arbitrary command execution. The quote() function fails to escape line terminators within object-tokens due to a regular expression omission, enabling attackers to inject newlines that act as command separators in POSIX shells.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-78 / CWE-77\n- **Attack Vector**: Network (AV:N)\n- **CVSS Severity**: 8.1 (High)\n- **EPSS Score**: 0.00068\n- **Exploit Status**: Proof of Concept\n- **CISA KEV Status**: Not Listed\n\n## Affected Systems\n\n- Node.js applications running shell-quote < 1.8.4\n- **shell-quote**: >= 1.1.0, < 1.8.4 (Fixed in: `1.8.4`)\n\n## Mitigation\n\n- Upgrade shell-quote to version 1.8.4 or newer.\n- Implement input validation to ensure only string elements are passed to quote()\n- Sanitize any custom callbacks passed to parse() to prevent returning unchecked object-tokens\n\n**Remediation Steps:**\n1. Identify applications utilizing shell-quote in package.json\n2. Execute 'npm install shell-quote@1.8.4' to apply the official patch\n3. Verify dependencies recursively using 'npm audit' to ensure no transitive vulnerabilities remain\n\n## References\n\n- [https://github.com/advisories/GHSA-w7jw-789q-3m8p](https://github.com/advisories/GHSA-w7jw-789q-3m8p)\n- [https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p](https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p)\n- [http://www.openwall.com/lists/oss-security/2026/05/23/2](http://www.openwall.com/lists/oss-security/2026/05/23/2)\n- [https://github.com/ljharb/shell-quote](https://github.com/ljharb/shell-quote)\n- [https://www.npmjs.com/package/shell-quote](https://www.npmjs.com/package/shell-quote)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-9277) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-09T14:41:30.000000Z"} https://vulnerability.circl.lu/sighting/3ffa7d51-9f48-4d4c-ab5b-e3c45a3e6032/export Tue, 09 Jun 2026 14:41:30 +0000