Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-f601b2f60a advisory.

    Update to version 20.20.0

    ----

    Update to version 20.19.6




Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-4be1cd8390 advisory.

    Fix CVE-2205-64756.

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-de6cf573f0 advisory.

    Fix CVE-2205-64756.

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0     and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows     arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns>     are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in     filenames to trigger command injection and achieve arbitrary code execution under the user or CI account     privileges. This issue has been patched in versions 10.5.0 and 11.1.0. (CVE-2025-64756)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
297442	Fedora 43 : nodejs20 (2026-f601b2f60a)	Nessus	Fedora Local Security Checks	high
278548	Fedora 42 : yarnpkg (2025-4be1cd8390)	Nessus	Fedora Local Security Checks	high
278546	Fedora 43 : yarnpkg (2025-de6cf573f0)	Nessus	Fedora Local Security Checks	high
277379	Linux Distros Unpatched Vulnerability : CVE-2025-64756	Nessus	Misc.	high

Detections

Analytics

CVE-2025-64756

high

Tenable Plugins

high

high

high

high