CVE-2026-9277 is a critical vulnerability in the shell-quote package, with a CVSS score of 9.2. The vulnerability exists in the `quote()` function, which did not validate object-token inputs against the operator model used by `parse()`. This allows an attacker to inject malicious commands. The vulnerability can be exploited in two ways: directly constructing a malicious object or via the `parse()` functio [truncated]
CVE-2026-8723 describes a denial-of-service style reliability bug in qs: when qs.stringify is called with arrayFormat:"comma" and encodeValuesOnly:true, a null or undefined element inside an array can trigger a synchronous TypeError instead of producing a query string. The issue is fixed in v6.15.2.