Cyber Resilience

CVE-2026-35197

MediumPublic PoC

Published: 06 April 2026

Published
06 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v3.1 6.6 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0029 20.6th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-35197 is a medium-severity Code Injection (CWE-94) vulnerability in Mattiebee Dye. Its CVSS base score is 6.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 20.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-35197 affects dye, a portable color library for shell scripts, in versions prior to 1.1.1. The vulnerability involves certain dye template expressions that result in the execution of arbitrary code, classified under CWE-94 (code injection). It carries a CVSS v3.1 base score of 6.6, reflecting local access requirements, low attack complexity, low privileges needed, and user interaction.

A local attacker with low privileges can exploit this by crafting malicious template expressions, tricking a user into processing them within a dye-using shell script. Successful exploitation grants high-impact confidentiality and integrity violations through arbitrary code execution, but no availability impact.

Advisories from the dye GitHub security page (GHSA-3v4r-5vfh-3wjr) and the author's site (mattiebee.io/dye-template-advisory) confirm the issue was discovered and fixed by dye's author in version 1.1.1. Practitioners should upgrade to 1.1.1 or later to mitigate.

No real-world exploitation is known.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

dye is a portable and respectful color library for shell scripts. Prior to 1.1.1, certain dye template expressions would result in execution of arbitrary code. This issue was discovered and fixed by dye's author, and is not known to be…

more

exploited. This vulnerability is fixed in 1.1.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Code injection vulnerability in shell script library enables arbitrary code execution via malicious templates, directly mapping to client-side exploitation (T1203) and Unix Shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-39881Shared CWE-94
CVE-2024-57061Shared CWE-94
CVE-2024-56448Shared CWE-94
CVE-2025-25467Shared CWE-94
CVE-2025-57283Shared CWE-94
CVE-2025-14287Shared CWE-94
CVE-2025-59041Shared CWE-94
CVE-2025-27678Shared CWE-94
CVE-2024-43767Shared CWE-94
CVE-2026-21853Shared CWE-94

Affected Assets

mattiebee
dye
1.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the vulnerability by requiring timely identification, reporting, and patching of the dye library to version 1.1.1 or later, eliminating the code injection flaw.

prevent

Prevents arbitrary code execution by enforcing validation of untrusted template expressions processed by the dye library to block malicious code injection.

prevent

Mitigates risk by controlling and approving user installation of the vulnerable dye library versions prior to 1.1.1.

References