Plattform
javascript
Komponente
dye
Behoben in
1.1.2
CVE-2026-35197 is a code execution vulnerability affecting versions of the dye color library prior to 1.1.1. Maliciously crafted template expressions within the dye library can trigger arbitrary code execution. This vulnerability was identified and addressed by the dye library's author. The issue is resolved in version 1.1.1 and is not currently known to be exploited.
An attacker could exploit this vulnerability by crafting a malicious dye template expression. When this expression is processed by the dye library, it could lead to the execution of arbitrary code on the system. The potential impact ranges from information disclosure and denial of service to complete system compromise, depending on the privileges of the process running the dye library. This vulnerability highlights the importance of carefully validating user-supplied input, even within seemingly innocuous libraries.
This vulnerability is not currently known to be exploited. It was discovered and promptly patched by the dye library's author. It is not listed on the CISA KEV catalog. A public proof-of-concept is not currently available, which reduces the immediate risk, but diligent monitoring and timely patching remain crucial.
Developers and system administrators using the dye color library in their shell scripts or applications are at risk. Specifically, those relying on older, unpatched versions (0.0.0–<1.1.1) are vulnerable. Automated build systems and CI/CD pipelines that incorporate dye should be updated to use the patched version.
disclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-35197 is to upgrade to version 1.1.1 of the dye library. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider isolating the dye library within a sandboxed environment to limit the potential impact of exploitation. While no active exploitation is known, review any scripts or applications using dye for potentially malicious template expressions. There are no specific WAF or proxy rules that can directly address this vulnerability, as it resides within the library's code processing logic.
Aktualisiere die Bibliothek 'dye' auf Version 1.1.1 oder höher, um die Code-Injection-Schwachstelle in Template-Ausdrücken zu entschärfen. Dieses Update behebt das Problem, indem es die Ausführung von beliebigem Code verhindert. Siehe das GitHub-Repository für weitere Details und den Download der aktualisierten Version.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-35197 describes a code execution vulnerability in the dye color library where malicious template expressions can trigger arbitrary code execution before version 1.1.1.
You are affected if you are using dye versions 0.0.0 through 1.1.0. Upgrade to 1.1.1 to mitigate the risk.
Upgrade to version 1.1.1 of the dye library. This version contains the fix for the code execution vulnerability.
Currently, CVE-2026-35197 is not known to be actively exploited, but prompt patching is still recommended.
Refer to the dye library's official repository or documentation for the advisory and release notes related to version 1.1.1.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.