HomeCVE Intelligence › CVE-2026-46377
CVSS 7.5 HIGH Vulnerability

CVE-2026-46377: Dasel: Index-out-of-range panic in dasel selector lexer on trailing backslash in quoted s…

Summary dasel's selector lexer panics with an index-out-of-range error when tokenizing a quoted string that ends with a trailing backslash (e.g., "\ or '\). A 2-byte input causes an immediate process crash via Go runtim…

7.5CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-46377
Vendorgo
Affected Productgithub.com/tomwright/dasel/v3
Vulnerability TypeVulnerability
CVSS Score7.5 (HIGH)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

#

Summary dasel's selector lexer panics with an index-out-of-range error when tokenizing a quoted string that ends with a trailing backslash (e.g., "\ or '\). A 2-byte input causes an immediate process crash via Go runtime panic. I confirmed the issue on v3.3.1 (fba653c7f248aff10f2b89fca93929b64707dfc8) and on master commit 0dd6132e0c58edbd9b1a5f7ffd00dfab1e6085ad. I also verified the same code path is present in v3.0.0 (648f83baf070d9e00db8ff312febef857ec090a3). No fix is available yet.

Details The bug is in the escape sequence handler within (*Tokenizer).parseCurRune in [selector/lexer/tokenize.go#L191-L194](https://github.com/TomWright/dasel/blob/fba653c7f248aff10f2b89fca93929b64707dfc8/selector/lexer/tokenize.go#L191-L194): ```go

if p.src[pos] == '\\' { pos+

🎯 Known Indicators of Compromise

{"type":"sha1","value":"fba653c7f248aff10f2b89fca93929b64707dfc8","confidence_score":0.9,"first_seen":"2026-05-19","source_count":1} {"type":"sha1","value":"0dd6132e0c58edbd9b1a5f7ffd00dfab1e6085ad","confidence_score":0.9,"first_seen":"2026-05-19","source_count":1} {"type":"sha1","value":"648f83baf070d9e00db8ff312febef857ec090a3","confidence_score":0.9,"first_seen":"2026-05-19","source_count":1} {"type":"url","value":"https://github.com/TomWright/dasel/blob/fba653c7f248aff10f2b89fca93929b64707dfc8/selector/lexer/toke","confidence_score":0.82,"first_seen":"2026-05-19","source_count":1}

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-46377 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence