From 7f46c3f1aa124d028f810a04b9ee994fbff9dc6f Mon Sep 17 00:00:00 2001
From: Viv <vivax3794@protonmail.com>
Date: Sat, 4 Apr 2026 03:24:47 +0200
Subject: [PATCH] add advistory for shell-words

---
 crates/shell-words/RUSTSEC-0000-0000.md | 26 +++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 crates/shell-words/RUSTSEC-0000-0000.md

diff --git a/crates/shell-words/RUSTSEC-0000-0000.md b/crates/shell-words/RUSTSEC-0000-0000.md
new file mode 100644
index 0000000000..67369806a8
--- /dev/null
+++ b/crates/shell-words/RUSTSEC-0000-0000.md
@@ -0,0 +1,26 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "shell-words"
+
+date = "2024-12-13"
+url = "https://github.com/tmiasko/shell-words/pull/16"
+categories = ["format-injection", "file-disclosure"]
+keywords = ["shell"]
+
+[affected]
+[affected.functions]
+"shell_words::quote" = ["<= 1.1.0"]
+
+[versions]
+patched = [">= 1.1.1"]
+```
+
+# `~` not escaped (shell_words::quote)
+
+Affected versions of this crate incorrectly looked for `˜` (U+02DC SMALL TILDE) instead of the intended `~` (U+007E TILDE)
+
+This could lead to exposing the users home path, or in certain cases path traversal. 
+
+This was corrected in commit efe8162, included in version `1.1.1`.
+