Skip to main content

Dye CVE-2026-35197

| EUVDEUVD-2026-19471 MEDIUM
Code Injection (CWE-94)
2026-04-06 GitHub_M
6.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.6 MEDIUM
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
1.1.1
EUVD ID Assigned
Apr 06, 2026 - 19:45 euvd
EUVD-2026-19471
Analysis Generated
Apr 06, 2026 - 19:45 vuln.today
CVE Published
Apr 06, 2026 - 19:39 nvd
MEDIUM 6.6

DescriptionGitHub Advisory

dye is a portable and respectful color library for shell scripts. Prior to 1.1.1, certain dye template expressions would result in execution of arbitrary code. This issue was discovered and fixed by dye's author, and is not known to be exploited. This vulnerability is fixed in 1.1.1.

AnalysisAI

Arbitrary code execution in dye color library versions prior to 1.1.1 allows authenticated local users with interactive UI access to execute arbitrary code through malicious template expressions. The vulnerability stems from unsafe evaluation of template syntax and requires local file system access and user interaction. No public exploits have been identified; the vulnerability was discovered and remediated by the author.

Technical ContextAI

dye is a portable shell script color library that processes template expressions for dynamic output formatting. The vulnerability exists in template expression evaluation logic (CWE-94: Improper Control of Generation of Code, also known as Code Injection). Prior to version 1.1.1, the library fails to properly sanitize or restrict template expression evaluation, allowing attackers to break out of the intended template context and execute arbitrary shell commands. The affected product is identified by CPE cpe:2.3:a:mattieb:dye:*:*:*:*:*:*:*:* across all versions prior to 1.1.1.

RemediationAI

Vendor-released patch: dye 1.1.1. Users should immediately upgrade to version 1.1.1 or later, which addresses the unsafe template expression evaluation. No workarounds for earlier versions have been documented. Upgrade instructions and patch verification are available in the GitHub Security Advisory (https://github.com/mattieb/dye/security/advisories/GHSA-3v4r-5vfh-3wjr) and the author's advisory (https://mattiebee.io/dye-template-advisory).

Share

CVE-2026-35197 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy