shell-quote (npm) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package shell-quote, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (3)
CVE-2016-10541 — CVSS 9.8 (critical): The npm module "shell-quote" 1.6.0 and earlier cannot correctly escape ">" and "<" operator used for redirection in shell. Applications…
CVE-2021-42740 — CVSS 9.8 (critical): The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a…
CVE-2026-9277 — CVSS 8.1 (high): shell-quote's `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was…