Browse all 6 CVE security advisories affecting ash-project. AI-powered Chinese analysis, POCs, and references for each vulnerability.
The ash-project is a Python-based security tool for analyzing shell scripts to detect vulnerabilities and security issues. Historically, it has been susceptible to multiple remote code execution (RCE) vulnerabilities, cross-site scripting (XSS) flaws, and privilege escalation issues, as evidenced by its six recorded CVEs. The tool's static analysis approach sometimes fails to properly sanitize input or handle complex shell constructs, leading to potential bypasses. While no major public security incidents have been documented, the consistent discovery of similar vulnerability classes suggests ongoing challenges in accurately parsing diverse shell script syntaxes and ensuring comprehensive security coverage.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-34593 | Ash Framework: Ash.Type.Module.cast_input/2 atom exhaustion via unchecked Module.concat allows BEAM VM crash — ashCWE-400 | 6.5AI | MediumAI | 2026-04-02 |
| CVE-2025-48044 | Authorization bypass when bypass policy condition evaluates to true — ashCWE-863 | 9.8AI | CriticalAI | 2025-10-17 |
| CVE-2025-48043 | Bypass and runtime policies that can never pass may be incorrectly applied in filter authorization — ashCWE-863 | 9.8AI | CriticalAI | 2025-10-10 |
| CVE-2025-48042 | Before action hooks may execute in certain scenarios despite a request being forbidden — ashCWE-863 | 8.8AI | HighAI | 2025-09-07 |
This page lists every published CVE security advisory associated with ash-project. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.