CVE-2026-32094: Shescape escape() leaves bracket glob expansion active on Bash, BusyBox, and Dash
Shescape#escape() does not escape square-bracket glob syntax for Bash, BusyBox sh, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-controlled value like secret[12] to expand into multiple filesystem matches instead of a single literal argument, turning one argument into multiple trusted-pathname matches.
References
- github.com/advisories/GHSA-9jfh-9xrq-4vwm
- github.com/ericcornelissen/shescape
- github.com/ericcornelissen/shescape/commit/6add105c6f6b508662bb5ae3b3bdd4c9bcebf37a
- github.com/ericcornelissen/shescape/pull/2410
- github.com/ericcornelissen/shescape/releases/tag/v2.1.10
- github.com/ericcornelissen/shescape/security/advisories/GHSA-9jfh-9xrq-4vwm
- nvd.nist.gov/vuln/detail/CVE-2026-32094
Code Behaviors & Features
Detect and mitigate CVE-2026-32094 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →