What is the CVSS score of CVE-2026-9277?

CVE-2026-9277 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Red Hat are affected by CVE-2026-9277?

The shell-quote npm package, a critical dependency used across millions of applications in your software supply chain, contains a command injection vulnerability (CVE-2026-9277) that allows attackers…. A patch is available.

Red Hat CVE-2026-9277

HIGH

OS Command Injection (CWE-78)

2026-05-22 harborist

Command Injection Red Hat

8.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

May 22, 2026 - 14:00 vuln.today

DescriptionNVD

shell-quote's quote() function did not validate object-token inputs against the operator model used by parse(). The .op field was backslash-escaped character by character using /(.)/g, which in JavaScript does not match line terminators (\n, \r, U+2028, U+2029). A line terminator in .op therefore passed through unescaped into the output; POSIX shells treat a literal newline as a command separator, so any content after it would execute as a second command. The vulnerable code path is reachable in two ways: (1) direct construction of { op: '...\n...' } from external input, and (2) via parse(cmd, envFn) when envFn returns object tokens whose .op is attacker-influenced. Both are documented API surface. Fixed by replacing the per-character escape with strict shape validation: .op must match the parser's control-operator allowlist; { op: 'glob', pattern } validates pattern and forbids line terminators; { comment } validates comment and forbids line terminators; any other object shape throws TypeError.

AnalysisAI

Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitrary shell commands via unescaped line terminators in the .op field. Affects the quote() API and parse() flows that accept object tokens, with no public exploit identified at time of analysis but a vendor-released upstream fix in commit 1518179. …

RemediationAI

Within 24 hours: Use Software Composition Analysis (SCA) tools to identify all direct and transitive dependencies on shell-quote across your application portfolio. Within 7 days: Upgrade shell-quote to the patched version in all non-production environments and validate shell command handling functionality. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

CVE-2026-9277 vulnerability details – vuln.today

Back

Red Hat CVE-2026-9277

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code