PatchSiren

ljharb CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL ljharb CVE published 2026-05-22

CVE-2026-9277

CVE-2026-9277 is a critical vulnerability in the shell-quote package, with a CVSS score of 9.2. The vulnerability exists in the `quote()` function, which did not validate object-token inputs against the operator model used by `parse()`. This allows an attacker to inject malicious commands. The vulnerability can be exploited in two ways: directly constructing a malicious object or via the `parse()` functio [truncated]

MEDIUM ljharb CVE published 2026-05-17

CVE-2026-8723

CVE-2026-8723 describes a denial-of-service style reliability bug in qs: when qs.stringify is called with arrayFormat:"comma" and encodeValuesOnly:true, a null or undefined element inside an array can trigger a synchronous TypeError instead of producing a query string. The issue is fixed in v6.15.2.