Skip to main content

check-peer-dependencies EUVDEUVD-2026-42234

| CVE-2026-15033 MEDIUM
OS Command Injection (CWE-78)
2026-07-08 VulDB GHSA-fmmh-7qjr-fp9g
5.3
CVSS 4.0 · Vendor: VulDB
Share

Severity by source

Vendor (VulDB) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

OS command injection grants arbitrary code execution, warranting C:H/I:H/A:H; PR:L because attacker must control peerDependency input data fed to the tool.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 08, 2026 - 13:52 vuln.today

DescriptionCVE.org

A flaw has been found in christopherthielen check-peer-dependencies up to 4.3.4. Affected by this vulnerability is the function shelljs.exec of the file dist/packageUtils.js of the component peerDependencies. This manipulation causes os command injection. The attack may be initiated remotely. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

OS command injection in christopherthielen/check-peer-dependencies up to version 4.3.4 allows remote low-privileged attackers to execute arbitrary operating system commands via the shelljs.exec() call in dist/packageUtils.js when processing peerDependency data. The vulnerable code path passes unsanitized dependency-related input directly to a shell execution function, a classic CWE-78 pattern. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Introduce malicious peerDependency in package.json
Delivery
Trigger check-peer-dependencies execution
Exploit
shelljs.exec processes unsanitized dependency string
Execution
OS command injected into shell
Impact
Arbitrary commands execute on host

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to have the ability to influence peerDependency data that check-peer-dependencies processes - this is the specific prerequisite grounded in CWE-78 and the shelljs.exec code path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) indicates a network-reachable, low-complexity attack requiring low privileges and no user interaction, which describes a realistic threat in CI/CD and developer automation contexts where the tool is commonly invoked against third-party package content. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can introduce a malicious or modified package.json - for example, by contributing to a repository whose CI/CD pipeline runs check-peer-dependencies, or by publishing a malicious npm package whose peerDependencies field contains shell metacharacters - could cause the shelljs.exec() call in packageUtils.js to execute arbitrary OS commands on the CI/CD runner or developer workstation when the tool processes that dependency data. No confirmed public exploit code exists at time of analysis, but the exploitation pattern is straightforward given the classic command injection nature of CWE-78.
Remediation No vendor-released patch has been identified at time of analysis - the upstream maintainer has not responded to the vulnerability disclosure. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42234 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy