Shell-quote Project Shell-quote — known CVE vulnerabilities
Every CVE whose affected-product data names Shell-quote Project Shell-quote, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (3)
CVE-2016-10541 — CVSS 9.8 (critical): The npm module "shell-quote" 1.6.0 and earlier cannot correctly escape ">" and "<" operator used for redirection in shell. Applications…
CVE-2021-42740 — CVSS 9.8 (critical): The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a…
CVE-2026-13311 — CVSS 7.5 (high): shell-quote prior to 1.8.5 finalizes parsed tokens in parse() using Array.prototype.concat as a reduce accumulator, which reallocates and…