What is GHSA-x6p3-76f2-xxvh?

GHSA-x6p3-76f2-xxvh is a security advisory published by GitHub Security Advisories with Medium severity. Shamefile has an arbitrary file read via shamefile.yaml in shame next

Which CVE IDs does GHSA-x6p3-76f2-xxvh cover?

GHSA-x6p3-76f2-xxvh covers the following CVE IDs: CVE-2026-47144. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-x6p3-76f2-xxvh?

GHSA-x6p3-76f2-xxvh has a CVSS v3 base score of 5.5, published by GitHub Security Advisories.

Which products are affected by GHSA-x6p3-76f2-xxvh?

GHSA-x6p3-76f2-xxvh affects 3 products, including: pip/shamefile:\u003c= 0.1.6; npm/shamefile:\u003c= 0.1.6; rust/shamefile:\u003c= 0.1.6.

GHSA-x6p3-76f2-xxvhMediumCVSS 5.5

Shamefile has an arbitrary file read via shamefile.yaml in shame next

Vendor

GitHub Security Advisories

Published

May 28, 2026

Last Modified

May 28, 2026

🔗 CVE IDs covered (1)

CVE-2026-47144 →

📋 Description

Impact

A path traversal vulnerability in shame next allows an attacker-controlled shamefile.yaml to disclose contents of files outside the repository, one line at a time, to the terminal of a user who runs the command. See patch commit for technical details.

Patches

Fixed in 0.1.7. Upgrade to either 0.1.7 or later versions to incorporate the patch.

Workarounds

Do not run shame next against untrusted shamefile.yaml. Use shame me --dry-run for CI validation.

Resources

Patch commit: https://github.com/BKDDFS/shamefile/commit/77b0aeea318503582818c708518c601fedc43557
Pull request: https://github.com/BKDDFS/shamefile/pull/80
Release: https://github.com/BKDDFS/shamefile/releases/tag/v0.1.7
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

🎯 Affected products3

pip/shamefile:<= 0.1.6
npm/shamefile:<= 0.1.6
rust/shamefile:<= 0.1.6