CVE-2026-30916
Received Received - Intake
Shell Escape Bypass in Shescape JavaScript Library Allows Data Exposure

Publication date: 2026-03-10

Last updated on: 2026-03-20

Assigner: GitHub, Inc.

Description
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: Further investigation determined that the software behavior described did not falls within the project's threat model. See https://github.com/github/advisory-database/pull/7206 for more information.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-20
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-03-20
NVD
CVE-2026-30916
EUVD
EUVD-2026-10424
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
ericcornelissen shescape 2.1.9
ericcornelissen shescape to 2.1.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-30916 is a vulnerability in the Shescape JavaScript library, which is used for shell escaping. The issue arises when the shell path configured in Shescape is a symbolic link (symlink) that points to another symlink, creating a chain of links. Prior to version 2.1.9, Shescape did not properly resolve these recursive symlinks, which could lead to incorrect identification of the actual shell executable.

This incorrect shell identification can allow an attacker to bypass the escaping mechanisms that Shescape provides, potentially enabling unsafe input to be executed or sensitive information to be exposed.

The vulnerability was fixed in version 2.1.9 by implementing recursive symlink resolution, loop detection to prevent infinite loops, and improved handling of relative symlinks.

Impact Analysis

If you use Shescape with a shell path configured as a symlink to another symlink, this vulnerability can allow an attacker to bypass the shell escaping protections.

This can lead to exposure of sensitive information, such as revealing user environment details, or potentially allow execution of unsafe shell commands due to improper escaping.

The exact impact depends on the shell being used and how Shescape misidentifies it, but it generally increases the risk of security issues related to command injection or information leakage.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by checking if the shell configured in your environment is a symbolic link that points to another symbolic link (a chain of symlinks). Such chained symlinks can cause Shescape to misidentify the shell and bypass escaping.

To detect this on a Unix-like system, you can use commands to inspect the shell path and resolve symlinks recursively. For example:

  • Use `ls -l $(which sh)` or `ls -l /bin/sh` to check if the shell is a symlink.
  • Use `readlink -f $(which sh)` to resolve the full chain of symlinks to the actual executable.
  • If `readlink -f` is not available, use a loop with `readlink` to manually resolve symlinks until the final target is found.

If the shell path is a symlink to another symlink (a link-to-link), this indicates the vulnerable condition described in CVE-2026-30916.

Mitigation Strategies

The primary mitigation step is to upgrade the Shescape library to version 2.1.9 or later, where the vulnerability has been fixed.

If upgrading is not immediately possible, you should avoid configuring your shell path to a symbolic link that points to another symbolic link.

Alternatively, avoid using a shell specified via chained symbolic links altogether to prevent the bypass of escaping mechanisms.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30916. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart