| Release | Version |
|---|---|
| bookworm | 1.7.4+~1.7.1-1+deb12u1 |
| trixie | 1.7.4+~1.7.1-1+deb13u1 |
| forky | 1.9.0+~1.7.5-1 |
| sid | 1.9.0+~1.7.5-1 |
| Bug | bookworm | trixie | forky | sid | Description |
|---|---|---|---|---|---|
| CVE-2026-13311 | vulnerable | vulnerable (no DSA) | fixed | fixed | shell-quote prior to 1.8.5 finalizes parsed tokens in parse() using Ar ... |
| Bug | Description |
|---|---|
| CVE-2026-9277 | shell-quote's `quote()` function did not validate object-token inputs ... |
| CVE-2021-42740 | The shell-quote package before 1.7.3 for Node.js allows command inject ... |
| CVE-2016-10541 | The npm module "shell-quote" 1.6.0 and earlier cannot correctly escape ... |
| DSA / DLA | Description |
|---|---|
| DSA-6300-1 | node-shell-quote - security update |