Platform
javascript
Component
dye
Opgelost in
1.1.2
CVE-2026-35197 is a code execution vulnerability affecting versions of the dye color library prior to 1.1.1. Maliciously crafted template expressions within the dye library can trigger arbitrary code execution. This vulnerability was identified and addressed by the dye library's author. The issue is resolved in version 1.1.1 and is not currently known to be exploited.
An attacker could exploit this vulnerability by crafting a malicious dye template expression. When this expression is processed by the dye library, it could lead to the execution of arbitrary code on the system. The potential impact ranges from information disclosure and denial of service to complete system compromise, depending on the privileges of the process running the dye library. This vulnerability highlights the importance of carefully validating user-supplied input, even within seemingly innocuous libraries.
This vulnerability is not currently known to be exploited. It was discovered and promptly patched by the dye library's author. It is not listed on the CISA KEV catalog. A public proof-of-concept is not currently available, which reduces the immediate risk, but diligent monitoring and timely patching remain crucial.
Developers and system administrators using the dye color library in their shell scripts or applications are at risk. Specifically, those relying on older, unpatched versions (0.0.0–<1.1.1) are vulnerable. Automated build systems and CI/CD pipelines that incorporate dye should be updated to use the patched version.
disclosure
Exploit Status
EPSS
0.02% (5% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-35197 is to upgrade to version 1.1.1 of the dye library. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider isolating the dye library within a sandboxed environment to limit the potential impact of exploitation. While no active exploitation is known, review any scripts or applications using dye for potentially malicious template expressions. There are no specific WAF or proxy rules that can directly address this vulnerability, as it resides within the library's code processing logic.
Actualiseer de 'dye' bibliotheek naar versie 1.1.1 of hoger om de code injectie kwetsbaarheid in template expressies te mitigeren. Deze update corrigeert het probleem door de uitvoering van willekeurige code te voorkomen. Raadpleeg de GitHub repository voor meer details en de download van de bijgewerkte versie.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-35197 describes a code execution vulnerability in the dye color library where malicious template expressions can trigger arbitrary code execution before version 1.1.1.
You are affected if you are using dye versions 0.0.0 through 1.1.0. Upgrade to 1.1.1 to mitigate the risk.
Upgrade to version 1.1.1 of the dye library. This version contains the fix for the code execution vulnerability.
Currently, CVE-2026-35197 is not known to be actively exploited, but prompt patching is still recommended.
Refer to the dye library's official repository or documentation for the advisory and release notes related to version 1.1.1.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.