VYPR

shell-quote

by shell-quote

npm: shell-quote

CVEs (2)

  • CVE-2026-9277HigMay 22, 2026
    risk 0.46cvss 8.1epss 0.01

    shell-quote's `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, which in JavaScript does not match line terminators (\n, \r, U+2028, U+2029). A line…

  • CVE-2026-13311modJun 25, 2026
    risk 0.42cvss 6.5epss 0.00

    shell-quote: shell-quote/parse: shell-quote: Denial of Service due to inefficient input parsing