MEDIUMCVE-2026-35197CVSS 6.6

CVE-2026-35197: Code Execution in dye Color Library

Q: What is CVE-2026-35197 — Code Execution in dye Color Library?

CVE-2026-35197 describes a code execution vulnerability in the dye color library where malicious template expressions can trigger arbitrary code execution before version 1.1.1.

Q: Am I affected by CVE-2026-35197 in dye Color Library?

You are affected if you are using dye versions 0.0.0 through 1.1.0. Upgrade to 1.1.1 to mitigate the risk.

Q: How do I fix CVE-2026-35197 in dye Color Library?

Upgrade to version 1.1.1 of the dye library. This version contains the fix for the code execution vulnerability.

Q: Is CVE-2026-35197 being actively exploited?

Currently, CVE-2026-35197 is not known to be actively exploited, but prompt patching is still recommended.

Q: Where can I find the official dye Color Library advisory for CVE-2026-35197?

Refer to the dye library's official repository or documentation for the advisory and release notes related to version 1.1.1.

Platform

javascript

Component

dye

Fixed in

1.1.2

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2026-35197 is a code execution vulnerability affecting versions of the dye color library prior to 1.1.1. Maliciously crafted template expressions within the dye library can trigger arbitrary code execution. This vulnerability was identified and addressed by the dye library's author. The issue is resolved in version 1.1.1 and is not currently known to be exploited.

Impact and Attack Scenarios

An attacker could exploit this vulnerability by crafting a malicious dye template expression. When this expression is processed by the dye library, it could lead to the execution of arbitrary code on the system. The potential impact ranges from information disclosure and denial of service to complete system compromise, depending on the privileges of the process running the dye library. This vulnerability highlights the importance of carefully validating user-supplied input, even within seemingly innocuous libraries.

Exploitation Context

This vulnerability is not currently known to be exploited. It was discovered and promptly patched by the dye library's author. It is not listed on the CISA KEV catalog. A public proof-of-concept is not currently available, which reduces the immediate risk, but diligent monitoring and timely patching remain crucial.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureLow

EPSS

0.02% (5% percentile)

CISA SSVC

Exploitationpoc

Automatableno

Technical Impacttotal

CVSS Vector

Affected Software

Componentdye

Vendormattieb

Affected rangeFixed in

< 1.1.1 – < 1.1.11.1.2

Weakness Classification (CWE)

CWE-94

Timeline

Reserved2026-04-01
Published2026-04-06
Modified2026-04-07
EPSS updated2026-04-14

Mitigation and Workarounds

The primary mitigation for CVE-2026-35197 is to upgrade to version 1.1.1 of the dye library. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider isolating the dye library within a sandboxed environment to limit the potential impact of exploitation. While no active exploitation is known, review any scripts or applications using dye for potentially malicious template expressions. There are no specific WAF or proxy rules that can directly address this vulnerability, as it resides within the library's code processing logic.

How to fix

Update the 'dye' library to version 1.1.1 or higher to mitigate the code injection vulnerability in template expressions. This update corrects the issue by preventing the execution of arbitrary code. See the GitHub repository for more details and the download of the updated version.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-35197 — Code Execution in dye Color Library?