CVE-2026-30916 - Vulnerability Details

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: Further investigation determined that the software behavior described did not falls within the project's threat model. See https://github.com/github/advisory-database/pull/7206 for more information.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Ericcornelissen Subscribe	Shescape Subscribe

Project Subscriptions

Vendors	Products
Ericcornelissen Subscribe	Shescape Subscribe

Advisories

Source	ID	Title
Github GHSA	GHSA-6f6w-6j58-rq76	Withdrawn Advisory: Shescape has possible misidentification of shell due to link chains

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

No reference.

History

Fri, 20 Mar 2026 20:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-200
References	https://github.com/ericcornelissen/shescape/pull/2388 https://github.com/ericcornelissen/shescape/security/advisories/GHSA-6f6w-6j58-rq76 https://www.npmjs.com/package/shescape/v/2.1.9
Metrics	cvssV4_0 `{'score': 2.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X'}`

Fri, 20 Mar 2026 20:15:00 +0000

Type	Values Removed	Values Added
Title	Shescape has possible misidentification of shell due to link chains
Metrics	ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 20 Mar 2026 20:00:00 +0000

Type	Values Removed	Values Added
Description	Shescape is a simple shell escape library for JavaScript. Prior to 2.1.9, an attacker may be able to bypass escaping for the shell being used. This can result, for example, in exposure of sensitive information. This impacts users of Shescape that configure their shell to point to a file on disk that is a link to a link. The precise result of being affected depends on the actual shell used and incorrect shell identified by Shescape. This vulnerability is fixed in 2.1.9.	REJECT DO NOT USE THIS CANDIDATE NUMBER. Reason: Further investigation determined that the software behavior described did not falls within the project's threat model. See https://github.com/github/advisory-database/pull/7206 for more information.
Metrics	cvssV4_0 `{'score': 2.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}`	cvssV4_0 `{'score': 2.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X'}`

Tue, 10 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ericcornelissen Ericcornelissen shescape
Vendors & Products		Ericcornelissen Ericcornelissen shescape
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 09 Mar 2026 23:00:00 +0000

Type	Values Removed	Values Added
Description		Shescape is a simple shell escape library for JavaScript. Prior to 2.1.9, an attacker may be able to bypass escaping for the shell being used. This can result, for example, in exposure of sensitive information. This impacts users of Shescape that configure their shell to point to a file on disk that is a link to a link. The precise result of being affected depends on the actual shell used and incorrect shell identified by Shescape. This vulnerability is fixed in 2.1.9.
Title		Shescape has possible misidentification of shell due to link chains
Weaknesses		CWE-200
References		https://github.com/ericcornelissen/shescape/pull/2388 https://github.com/ericcornelissen/shescape/security/advisories/GHSA-6f6w-6j58-rq76 https://www.npmjs.com/package/shescape/v/2.1.9
Metrics		cvssV4_0 `{'score': 2.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}`

Projects

Sign in to view the affected projects.

MITRE

Status: REJECTED

Assigner: GitHub_M

Published: 2026-03-09T22:48:14.873Z

Updated: 2026-03-20T19:50:13.932Z

Reserved: 2026-03-07T16:40:05.884Z

Link: CVE-2026-30916

Vulnrichment

Updated:

NVD

Status : Rejected

Published: 2026-03-10T17:40:15.363

Modified: 2026-03-20T20:16:47.593

Link: CVE-2026-30916

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-10T14:06:28Z

Weaknesses

No weakness.

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object