Fluid Attacks Database

Description

A flaw was found in the shell-quote component. The quote() function did not properly validate object-token inputs, allowing line terminators to pass unescaped into the output. A remote attacker could exploit this vulnerability by providing specially crafted input, which a POSIX shell would interpret as a command separator. This could lead to command injection, enabling the attacker to execute arbitrary code on the system.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	node-shell-quote	=1.7.4+~1.7.1-1 \|\| =1.7.4+~1.7.1-2 \|\| =1.8.3+~1.7.5-1 \|\| >=0 <1.8.4+~1.7.5-1	1.8.4+~1.7.5-1
rpm rhel8	grafana	-	-
rpm rhel9	grafana	-	-
debian 12	node-shell-quote	=1.7.4+~1.7.1-1 \|\| >=0 <1.7.4+~1.7.1-1+deb12u1	1.7.4+~1.7.1-1+deb12u1
debian 13	node-shell-quote	=1.7.4+~1.7.1-1 \|\| >=0 <1.7.4+~1.7.1-1+deb13u1	1.7.4+~1.7.1-1+deb13u1

Aliases

1. CVE-2026-92772. NVD-2026-92773. OSV-DEBIAN-2026-92774. OSV-2026-92775. SECURITY-TRACKER-CVE-2026-9277

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.