Critical severity9.0NVD Advisory· Published Jan 8, 2016· Updated Jun 17, 2026
CVE-2015-8557
CVE-2015-8557
Description
The FontManager._get_nix_font_path function in formatters/img.py in Pygments 1.2.2 through 2.0.2 allows remote attackers to execute arbitrary commands via shell metacharacters in a font name.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
PygmentsPyPI | >= 1.2.2, < 2.1 | 2.1 |
Affected products
15cpe:2.3:a:pygments:pygments:1.2.2:*:*:*:*:*:*:*+ 9 more
- cpe:2.3:a:pygments:pygments:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:pygments:pygments:1.3:*:*:*:*:*:*:*
- cpe:2.3:a:pygments:pygments:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:pygments:pygments:1.4:*:*:*:*:*:*:*
- cpe:2.3:a:pygments:pygments:1.5:*:*:*:*:*:*:*
- cpe:2.3:a:pygments:pygments:1.6:*:*:*:*:*:*:*
- cpe:2.3:a:pygments:pygments:1.6:rc1:*:*:*:*:*:*
- cpe:2.3:a:pygments:pygments:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:pygments:pygments:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:pygments:pygments:2.0:rc1:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*+ 3 more
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*
Patches
Vulnerability mechanics
References
12- github.com/advisories/GHSA-fff8-4w9p-7v76ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-8557ghsaADVISORY
- packetstormsecurity.com/files/133823/Pygments-FontManager._get_nix_font_path-Shell-Injection.htmlnvdWEB
- seclists.org/fulldisclosure/2015/Oct/4nvdWEB
- www.debian.org/security/2016/dsa-3445nvdWEB
- www.openwall.com/lists/oss-security/2015/12/14/17nvdWEB
- www.openwall.com/lists/oss-security/2015/12/14/6nvdWEB
- www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.htmlnvdWEB
- www.ubuntu.com/usn/USN-2862-1nvdWEB
- github.com/pygments/pygments/commit/db6dd826f8624179e563aaded391efe824462f51ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/pygments/PYSEC-2016-32.yamlghsaWEB
- security.gentoo.org/glsa/201612-05nvdWEB
News mentions
0No linked articles in our index yet.