CVE-2026-35197
Arbitrary Code Execution in dye Shell Script Color Library
Publication date: 2026-04-06
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattiebee | dye | 1.1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in dye allows execution of arbitrary code via template injection, which results in high confidentiality and integrity impact. Such a flaw could potentially lead to unauthorized access or modification of sensitive data.
While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, vulnerabilities that compromise confidentiality and integrity can pose risks to compliance with these regulations, which require protection of personal and sensitive data.
Mitigating this vulnerability by upgrading to dye version 1.1.1 or avoiding untrusted content in templates is important to maintain compliance with data protection requirements.
Can you explain this vulnerability to me?
CVE-2026-35197 is a template injection vulnerability in the dye command-line tool, specifically in its template support introduced in version 1.1.0.
Dye templates parse content between double curly braces ("{{" and "}}") and re-execute it as dye commands. The vulnerability arises because the use of the shell command eval combined with template parsing allows arbitrary shell command injection if untrusted content is included inside the double curly braces.
For example, a filename like `data {{red ;touch hacked}}` when printed via a dye template triggers execution of the injected shell command `touch hacked`, leading to arbitrary code execution.
This issue was discovered and fixed by the dye author and is not known to have been exploited in the wild. The fix, implemented in dye version 1.1.1, removes all use of eval and replaces it with a safer routine that explicitly splits arguments and safely passes parameters to tput without invoking shell evaluation.
How can this vulnerability impact me? :
This vulnerability allows an attacker with local access and low privileges, who can trick a user into interacting with a malicious dye template expression, to execute arbitrary code on the affected system.
The impact includes high confidentiality and integrity risks because arbitrary code execution can lead to unauthorized data access or modification.
However, availability is not affected by this vulnerability.
The attack requires user interaction and local access, meaning remote exploitation is not possible.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves code injection through dye template expressions that use double curly braces ("{{" and "}}") and the use of eval in processing these templates. Detection involves identifying usage of vulnerable dye versions (prior to 1.1.1) and checking for dye template expressions that include untrusted or suspicious content.
Since the vulnerability requires local access and user interaction, detection can focus on scanning scripts or commands that use dye templates with double curly braces and eval calls.
Suggested commands to detect potential exploitation or presence of vulnerable dye versions include:
- Check dye version installed: `dye --version` (ensure it is 1.1.1 or later)
- Search for dye template expressions in scripts: `grep -r '{{.*}}' /path/to/scripts`
- Look for suspicious commands or files created by injection, e.g., `find / -name hacked 2>/dev/null` (based on example injection creating a file named 'hacked')
- Audit shell history or logs for commands involving dye templates with suspicious content
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade dye to version 1.1.1 or later, where the vulnerability has been fixed by removing the use of eval and safely handling template arguments.
If upgrading immediately is not possible, avoid inserting untrusted content into dye template expressions or refrain from using dye template expressions altogether.
Additional steps include auditing existing scripts for vulnerable dye template usage and restricting local user privileges to reduce risk.