CVE-2026-47144
Published:May 31, 2026
Updated:June 13, 2026
Impact A path traversal vulnerability in "shame next" allows an attacker-controlled "shamefile.yaml" to disclose contents of files outside the repository, one line at a time, to the terminal of a user who runs the command. See patch commit for technical details. Patches Fixed in 0.1.7. Upgrade to either 0.1.7 or later versions to incorporate the patch. Workarounds Do not run "shame next" against untrusted "shamefile.yaml". Use "shame me --dry-run" for CI validation. Resources - Patch commit: https://github.com/BKDDFS/shamefile/commit/77b0aeea318503582818c708518c601fedc43557 - Pull request: https://github.com/BKDDFS/shamefile/pull/80 - Release: https://github.com/BKDDFS/shamefile/releases/tag/v0.1.7 - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" (https://cwe.mitre.org/data/definitions/22.html)
Affected Packages
shamefile (NPM):
Affected version(s) >=0.1.0-rc.3 <0.1.7Fix Suggestion:
Update to version 0.1.7shamefile (PYTHON):
Affected version(s) >=0.1.0rc2 <0.1.7Fix Suggestion:
Update to version 0.1.7shamefile (RUST):
Affected version(s) >=0.1.0-rc.1 <0.1.7Fix Suggestion:
Update to version 0.1.7Related Resources (5)
Do you need more information?
Contact UsCVSS v4
Base Score:
6.8
Attack Vector
LOCAL
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.5
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
NONE
Availability
NONE
Weakness Type (CWE)
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
EPSS
Base Score:
0.01