cbcvebase.
CVE-2026-27190
published 2026-02-20

CVE-2026-27190: Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.6.8, a command injection vulnerability exists in Deno's node:child_process…

PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.21%
80.4th percentile
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.6.8, a command injection vulnerability exists in Deno's node:child_process implementation. This vulnerability is fixed in 2.6.8.

Affected

6 ranges
VendorProductVersion rangeFixed in
denodeno< 2.6.82.6.8
denodeno>= 0 < 2.6.82.6.8
denodeno>= 0 < 2.7.102.7.10
denodeno>= 2.7.0 < 2.7.22.7.2
denodeno>= 2.7.0 < 2.7.22.7.2
denolanddeno

Detection & IOCsextracted from sources · hover to see the quote

  • Command injection occurs in Deno's node:child_process implementation when using shell: true mode — monitor for unexpected shell command execution spawned from Deno processes
  • The vulnerable code path is in ext/node/polyfills/internal/child_process.ts, specifically the transformDenoShellCommand function — audit or monitor this file path in Deno installations
  • Arguments containing $VAR patterns passed to spawnSync or spawn with shell:true are wrapped in double quotes instead of single quotes, allowing backtick command substitution — detect $VAR patterns or backtick sequences in arguments to these APIs
  • Exploitation vector is via spawnSync or spawn with shell: true — alert on Deno processes invoking these with attacker-controlled arguments containing backticks or $VAR patterns
  • ·CVE-2026-27190 affects Deno versions prior to 2.6.8; the fix was released in 2.6.8. A bypass of this fix was later discovered as CVE-2026-32260 (affecting 2.7.0–2.7.1, fixed in 2.7.2) — ensure detection coverage applies to both vulnerable ranges
  • ·A public exploit exists for this vulnerability (EPSS 75th percentile), increasing urgency of patching and detection deployment

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.