CVE-2026-32094
Shescape escape() leaves bracket glob expansion active on Bash, BusyBox, and Dash
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Shescape is a simple shell escape library for JavaScript. Prior to 2.1.10, Shescape#escape() does not escape square-bracket glob syntax for Bash, BusyBox sh, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-controlled value like secret[12] to expand into multiple filesystem matches instead of a single literal argument, turning one argument into multiple trusted-pathname matches. This vulnerability is fixed in 2.1.10.
| CWE | CWE-200 |
| Vendor | ericcornelissen |
| Product | shescape |
| Published | Mar 11, 2026 |
| Last Updated | Mar 12, 2026 |
Stay Ahead of the Next One
Get instant alerts for ericcornelissen shescape
Be the first to know when new unknown vulnerabilities affecting ericcornelissen shescape are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
ericcornelissen / shescape
< 2.1.10