CVE-2026-44972: GuardDog: Unsanitized human-readable scan output allows terminal escape injection from malicious package content

(updated )

GuardDog includes attacker-controlled filenames, file locations, messages, and code snippets in its default human-readable output without escaping terminal control characters. A malicious package can therefore inject ANSI or OSC escape sequences into analyst terminals or CI logs.

  1. Create a file whose name contains \x1b[2J.
  2. Feed a semgrep-style result referencing that file into Analyzer._format_semgrep_response().
  3. Render the result with HumanReadableReporter.print_scan_results().
  4. The output string contains the raw escape bytes, which a terminal may interpret.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-44972 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →