CVE-2026-9277 — shell-quote's `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, which i — CVE Database · The Intelligence Room