CVE-2026-35197CRITICAL 9.8EPSS p20.6%

CVE-2026-35197CVE-2026-35197

Description

dye is a portable and respectful color library for shell scripts. Prior to 1.1.1, certain dye template expressions would result in execution of arbitrary code. This issue was discovered and fixed by dye's author, and is not known to be exploited. This vulnerability is fixed in 1.1.1.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.29% probability of exploitation · percentile 20.6% · 2026-06-19T12:03:05Z
Published2026-04-06
Last modified2026-04-16

Underlying weaknesses· 1

CWE-94

References

  1. https://github.com/mattieb/dye/security/advisories/GHSA-3v4r-5vfh-3wjr
  2. https://mattiebee.io/dye-template-advisory

1

TypeTargetConfidenceTier
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-33154
CVE
CVE-2025-65741
CVE
CVE-2026-21267
CVE
CVE-2025-27516
CVE
CVE-2026-11076
CVE
CVE-2026-33587
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.