{"id":"CVE-2016-10541","details":"The npm module \"shell-quote\" 1.6.0 and earlier cannot correctly escape \"\u003e\" and \"\u003c\" operator used for redirection in shell. Applications that depend on shell-quote may also be vulnerable. A malicious user could perform code injection.","aliases":["GHSA-qg8p-v9q4-gh34"],"modified":"2026-03-14T09:29:05.550588Z","published":"2018-05-31T20:29:01.503Z","related":["CGA-4c76-xj4h-47jq","GHSA-qg8p-v9q4-gh34"],"references":[{"type":"ADVISORY","url":"https://nodesecurity.io/advisories/117"},{"type":"EVIDENCE","url":"https://github.com/advisories/GHSA-qg8p-v9q4-gh34"}],"affected":[{"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"1.6.1"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-10541.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}