CVE-2026-32094 affects the shescape JavaScript library, specifically versions prior to 2.1.10. Shescape is designed to safely escape strings for use in shell commands. However, the escape() function failed to properly escape square-bracket glob syntax, which is interpreted by shells such as Bash, BusyBox sh, and Dash. When an application interpolates the output of escape() directly into shell commands, an attacker can supply input containing patterns like secret[12]. Instead of treating this as a literal string, the shell expands it into multiple filesystem matches (e.g., secret1, secret2), effectively turning one argument into multiple arguments. This behavior can lead to exposure of sensitive file paths or data if the expanded matches reveal confidential information. The vulnerability does not require privileges or user interaction and can be exploited remotely if the application passes untrusted input to shell commands using shescape. The CVSS v4.0 score is 6.9 (medium severity), reflecting network exploitability with no authentication required and limited confidentiality and integrity impact. The issue was publicly disclosed in March 2026 and fixed in version 2.1.10 of shescape. No known exploits are reported in the wild yet. The root cause is improper escaping of shell globbing syntax, leading to CWE-200: Exposure of Sensitive Information to an Unauthorized Actor.

The primary impact of this vulnerability is the unintended exposure of sensitive filesystem information due to shell glob expansion of attacker-controlled input. Organizations that use shescape in JavaScript applications to build shell commands with untrusted input risk leaking confidential file paths or data. This can aid attackers in reconnaissance or further exploitation by revealing the presence and names of sensitive files. Since the vulnerability does not allow direct code execution or privilege escalation, the impact is limited to confidentiality breaches and potential information disclosure. However, in environments where shell commands control critical systems or handle sensitive data, this exposure can facilitate more severe attacks. The vulnerability is exploitable remotely without authentication, increasing its risk profile. Organizations relying on vulnerable versions of shescape in web applications, CI/CD pipelines, or automation scripts that invoke shell commands are particularly at risk. The absence of known exploits in the wild suggests limited current exploitation but also highlights the importance of timely patching to prevent future attacks.

To mitigate this vulnerability, organizations should immediately upgrade shescape to version 2.1.10 or later, where the escape() function properly escapes square-bracket glob syntax. Additionally, developers should avoid directly interpolating untrusted input into shell commands, even when using escaping libraries. Employ safer alternatives such as passing arguments as arrays to spawn or exec functions that do not invoke shell parsing. Implement strict input validation and sanitization to reject or neutralize glob patterns and other shell metacharacters. Conduct code audits to identify all usages of shescape and shell command construction in the codebase. Where possible, replace shell command invocations with native APIs or libraries that do not rely on shell parsing. Monitor logs for suspicious input patterns that may indicate exploitation attempts. Finally, maintain an updated inventory of dependencies and apply security patches promptly to reduce exposure to known vulnerabilities.