Symlink Attack The advisory has been revoked - it doesn't affect any version of package shescape  (opens in a new tab)


Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.05% (17th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-SHESCAPE-15440479
  • published8 Mar 2026
  • disclosed7 Mar 2026
  • creditUnknown

Introduced: 7 Mar 2026

CVE-2026-30916  (opens in a new tab)
CWE-59  (opens in a new tab)

Amendment

This was deemed not a vulnerability.

Overview

shescape is a simple shell escape library

Affected versions of this package are vulnerable to Symlink Attack in resolving shells in unix.js.

UPDATE: This issue has been found to be outside of the security scope of the project, and is not considered a vulnerability in the package. See https://github.com/github/advisory-database/pull/7206