Skip to main content

Check Peer Dependencies

1 CVEs product

Monthly

CVE-2026-15033 MEDIUM This Month

OS command injection in christopherthielen/check-peer-dependencies up to version 4.3.4 allows remote low-privileged attackers to execute arbitrary operating system commands via the shelljs.exec() call in dist/packageUtils.js when processing peerDependency data. The vulnerable code path passes unsanitized dependency-related input directly to a shell execution function, a classic CWE-78 pattern. No vendor patch is available at time of analysis - the project maintainer has not responded to the issue report filed on GitHub (issue #74), and no KEV listing exists. EPSS data was not provided, so broad exploitation probability cannot be quantified.

Command Injection Check Peer Dependencies
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
1.1%
EPSS 1% CVSS 5.3
MEDIUM This Month

OS command injection in christopherthielen/check-peer-dependencies up to version 4.3.4 allows remote low-privileged attackers to execute arbitrary operating system commands via the shelljs.exec() call in dist/packageUtils.js when processing peerDependency data. The vulnerable code path passes unsanitized dependency-related input directly to a shell execution function, a classic CWE-78 pattern. No vendor patch is available at time of analysis - the project maintainer has not responded to the issue report filed on GitHub (issue #74), and no KEV listing exists. EPSS data was not provided, so broad exploitation probability cannot be quantified.

Command Injection Check Peer Dependencies
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy