CVE-2026-35197

MediumPublic PoC

Published: 06 April 2026

Published

06 April 2026

Modified

16 April 2026

KEV Added

—

Patch

—

CVSS Score 6.6 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

EPSS Score 0.0003 10.0th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35197 is a medium-severity Code Injection (CWE-94) vulnerability in Mattiebee Dye. Its CVSS base score is 6.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 10.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly addresses the vulnerability by requiring timely identification, reporting, and patching of the dye library to version 1.1.1 or later, eliminating the code injection flaw.

SI-10 Information Input Validation good match

prevent

Prevents arbitrary code execution by enforcing validation of untrusted template expressions processed by the dye library to block malicious code injection.

CM-11 User-installed Software partial match

prevent

Mitigates risk by controlling and approving user installation of the vulnerable dye library versions prior to 1.1.1.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Code injection vulnerability in shell script library enables arbitrary code execution via malicious templates, directly mapping to client-side exploitation (T1203) and Unix Shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

dye is a portable and respectful color library for shell scripts. Prior to 1.1.1, certain dye template expressions would result in execution of arbitrary code. This issue was discovered and fixed by dye's author, and is not known to be…

exploited. This vulnerability is fixed in 1.1.1.

Deeper analysisAI

CVE-2026-35197 affects dye, a portable color library for shell scripts, in versions prior to 1.1.1. The vulnerability involves certain dye template expressions that result in the execution of arbitrary code, classified under CWE-94 (code injection). It carries a CVSS v3.1 base score of 6.6, reflecting local access requirements, low attack complexity, low privileges needed, and user interaction.

A local attacker with low privileges can exploit this by crafting malicious template expressions, tricking a user into processing them within a dye-using shell script. Successful exploitation grants high-impact confidentiality and integrity violations through arbitrary code execution, but no availability impact.

Advisories from the dye GitHub security page (GHSA-3v4r-5vfh-3wjr) and the author's site (mattiebee.io/dye-template-advisory) confirm the issue was discovered and fixed by dye's author in version 1.1.1. Practitioners should upgrade to 1.1.1 or later to mitigate.

No real-world exploitation is known.