Severity by source
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
dye is a portable and respectful color library for shell scripts. Prior to 1.1.1, certain dye template expressions would result in execution of arbitrary code. This issue was discovered and fixed by dye's author, and is not known to be exploited. This vulnerability is fixed in 1.1.1.
AnalysisAI
Arbitrary code execution in dye color library versions prior to 1.1.1 allows authenticated local users with interactive UI access to execute arbitrary code through malicious template expressions. The vulnerability stems from unsafe evaluation of template syntax and requires local file system access and user interaction. No public exploits have been identified; the vulnerability was discovered and remediated by the author.
Technical ContextAI
dye is a portable shell script color library that processes template expressions for dynamic output formatting. The vulnerability exists in template expression evaluation logic (CWE-94: Improper Control of Generation of Code, also known as Code Injection). Prior to version 1.1.1, the library fails to properly sanitize or restrict template expression evaluation, allowing attackers to break out of the intended template context and execute arbitrary shell commands. The affected product is identified by CPE cpe:2.3:a:mattieb:dye:*:*:*:*:*:*:*:* across all versions prior to 1.1.1.
RemediationAI
Vendor-released patch: dye 1.1.1. Users should immediately upgrade to version 1.1.1 or later, which addresses the unsafe template expression evaluation. No workarounds for earlier versions have been documented. Upgrade instructions and patch verification are available in the GitHub Security Advisory (https://github.com/mattieb/dye/security/advisories/GHSA-3v4r-5vfh-3wjr) and the author's advisory (https://mattiebee.io/dye-template-advisory).
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19471