CVE-2026-9277
HIGHDescription
shell-quote's `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, which in JavaScript does not match line terminators (\n, \r, U+2028, U+2029). A line terminator in `.op` therefore passed through unescaped into the output; POSIX shells treat a literal newline as a command separator, so any content after it would execute as a second command. The vulnerable code path is reachable in two ways: (1) direct construction of `{ op: '...\n...' }` from external input, and (2) via `parse(cmd, envFn)` when `envFn` returns object tokens whose `.op` is attacker-influenced. Both are documented API surface. Fixed by replacing the per-character escape with strict shape validation: `.op` must match the parser's control-operator allowlist; `{ op: 'glob', pattern }` validates `pattern` and forbids line terminators; `{ comment }` validates `comment` and forbids line terminators; any other object shape throws `TypeError`.
CVSS v3 Vector
Exploitability
Impact
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploit Intelligence
Moderate risk: more likely to be exploited than 53% of all known CVEs.
References
- https://github.com/ljharb/shell-quote
- https://github.com/ljharb/shell-quote/commit/1518179
- https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p
- https://www.npmjs.com/package/shell-quote
- http://www.openwall.com/lists/oss-security/2026/05/23/2
- https://access.redhat.com/errata/RHSA-2026:26072
- https://access.redhat.com/errata/RHSA-2026:26077
- https://access.redhat.com/errata/RHSA-2026:26079
- https://access.redhat.com/errata/RHSA-2026:26080
- https://access.redhat.com/errata/RHSA-2026:26090
- https://access.redhat.com/errata/RHSA-2026:26225
- https://access.redhat.com/errata/RHSA-2026:26234
- https://access.redhat.com/errata/RHSA-2026:28010
- https://access.redhat.com/errata/RHSA-2026:28571
- https://access.redhat.com/errata/RHSA-2026:29197
- https://access.redhat.com/errata/RHSA-2026:30076
- https://access.redhat.com/security/cve/CVE-2026-9277
- https://bugzilla.redhat.com/show_bug.cgi?id=2480741
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-9277.json
Find and fix vulnerabilities across your fleet
TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.
Start freeThis product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2026-06-30.