shell-quote CVE-2026-9277: newline slips past regex
shell-quote 1.8.4 fixes CVE-2026-9277 (CVSS 8.1): a newline in a .op token bypasses escaping because JavaScript's /(.)/g does not match line terminators.
Command Injection
2 articles tagged #command-injection
Articles tagged Command Injection
Evince and Atril: opening a PDF can run arbitrary code on Linux
Evince and Atril have an argument injection bug in ev_spawn(). Opening a crafted PDF on GNOME or MATE runs arbitrary code. No patch — avoid untrusted PDFs.