CVE-2026-47144
MEDIUM5.5Shamefile has an arbitrary file read via shamefile.yaml in shame next
Description
### Impact A path traversal vulnerability in `shame next` allows an attacker-controlled `shamefile.yaml` to disclose contents of files outside the repository, one line at a time, to the terminal of a user who runs the command. See patch commit for technical details. ### Patches Fixed in 0.1.7. Upgrade to either 0.1.7 or later versions to incorporate the patch. ### Workarounds Do not run `shame next` against untrusted `shamefile.yaml`. Use `shame me --dry-run` for CI validation. ### Resources - Patch commit: https://github.com/BKDDFS/shamefile/commit/77b0aeea318503582818c708518c601fedc43557 - Pull request: https://github.com/BKDDFS/shamefile/pull/80 - Release: https://github.com/BKDDFS/shamefile/releases/tag/v0.1.7 - [CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](https://cwe.mitre.org/data/definitions/22.html)
Affected packages (3)
- crates.io/shamefilefrom 0, < 0.1.7
- npm/shamefilefrom 0, < 0.1.7
- PyPI/shamefilefrom 0, < 0.1.7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.5 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
References (5)
- PATCHhttps://github.com/BKDDFS/shamefile
- WEBhttps://github.com/BKDDFS/shamefile/commit/77b0aeea318503582818c708518c601fedc43557
- WEBhttps://github.com/BKDDFS/shamefile/pull/80
- WEBhttps://github.com/BKDDFS/shamefile/releases/tag/v0.1.7
- WEBhttps://github.com/BKDDFS/shamefile/security/advisories/GHSA-x6p3-76f2-xxvh