CVE-2026-27190
published 2026-02-20CVE-2026-27190: Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.6.8, a command injection vulnerability exists in Deno's node:child_process…
PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.21%
80.4th percentile
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.6.8, a command injection vulnerability exists in Deno's node:child_process implementation. This vulnerability is fixed in 2.6.8.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| deno | deno | < 2.6.8 | 2.6.8 |
| deno | deno | >= 0 < 2.6.8 | 2.6.8 |
| deno | deno | >= 0 < 2.7.10 | 2.7.10 |
| deno | deno | >= 2.7.0 < 2.7.2 | 2.7.2 |
| deno | deno | >= 2.7.0 < 2.7.2 | 2.7.2 |
| denoland | deno | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Command injection occurs in Deno's node:child_process implementation when using shell: true mode — monitor for unexpected shell command execution spawned from Deno processes ↗
- →The vulnerable code path is in ext/node/polyfills/internal/child_process.ts, specifically the transformDenoShellCommand function — audit or monitor this file path in Deno installations ↗
- →Arguments containing $VAR patterns passed to spawnSync or spawn with shell:true are wrapped in double quotes instead of single quotes, allowing backtick command substitution — detect $VAR patterns or backtick sequences in arguments to these APIs ↗
- →Exploitation vector is via spawnSync or spawn with shell: true — alert on Deno processes invoking these with attacker-controlled arguments containing backticks or $VAR patterns ↗
- ·CVE-2026-27190 affects Deno versions prior to 2.6.8; the fix was released in 2.6.8. A bypass of this fix was later discovered as CVE-2026-32260 (affecting 2.7.0–2.7.1, fixed in 2.7.2) — ensure detection coverage applies to both vulnerable ranges ↗
- ·A public exploit exists for this vulnerability (EPSS 75th percentile), increasing urgency of patching and detection deployment ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Deno: Command Injection via spawnSync & spawn on Windows
ghsa·2026-06-16·CVSS 9.8
CVE-2026-49402 [CRITICAL] CWE-78 Deno: Command Injection via spawnSync & spawn on Windows
Deno: Command Injection via spawnSync & spawn on Windows
## Summary
Deno's `node:child_process` implementation provided an `escapeShellArg()` helper used when callers passed `shell: true` to `spawn` / `spawnSync` / `exec` and friends. On Windows, the helper failed to quote arguments that contained `cmd.exe` metacharacters such as `&`, `|`, ``, `^`, `!`, `(`, `)`, and did not neutralize `%` (which `cmd.exe` expands even inside double-quoted strings). An attacker who controlled any portion of an argument passed to such a call could inject arbitrary additional commands into the spawned `cmd.exe` invocation.
This was the Windows counterpart to CVE-2026-27190, which fixed the same class of bug in the Unix branch of `escapeShellArg`.
## Details
On Windows, `child_process` with `shell: true`
GHSA
Deno vulnerable to command Injection via incomplete shell metacharacter blocklist in node:child_process
ghsa·2026-03-13·CVSS 9.8
CVE-2026-32260 [CRITICAL] CWE-78 Deno vulnerable to command Injection via incomplete shell metacharacter blocklist in node:child_process
Deno vulnerable to command Injection via incomplete shell metacharacter blocklist in node:child_process
## Summary
A command injection vulnerability exists in Deno's `node:child_process` polyfill (`shell: true` mode) that bypasses the fix
for CVE-2026-27190 (GHSA-hmh4-3xvx-q5hr). An attacker who controls arguments passed to `spawnSync` or `spawn` with `shell:
true` can execute arbitrary OS commands, bypassing Deno's permission system.
**Affected versions:** Deno v2.7.0, v2.7.1
## Details
The two-stage argument sanitization in `transformDenoShellCommand` (`ext/node/polyfills/internal/child_process.ts`) has a
priority bug: when an argument contains a `$VAR` pattern, it is wrapped in double quotes (L1290) instead of single quotes
(L1293). Double quotes in POSIX sh do not suppress backtic
OSV
Deno vulnerable to command Injection via incomplete shell metacharacter blocklist in node:child_process
osv·2026-03-13·CVSS 9.8
CVE-2026-32260 [CRITICAL] Deno vulnerable to command Injection via incomplete shell metacharacter blocklist in node:child_process
Deno vulnerable to command Injection via incomplete shell metacharacter blocklist in node:child_process
## Summary
A command injection vulnerability exists in Deno's `node:child_process` polyfill (`shell: true` mode) that bypasses the fix
for CVE-2026-27190 (GHSA-hmh4-3xvx-q5hr). An attacker who controls arguments passed to `spawnSync` or `spawn` with `shell:
true` can execute arbitrary OS commands, bypassing Deno's permission system.
**Affected versions:** Deno v2.7.0, v2.7.1
## Details
The two-stage argument sanitization in `transformDenoShellCommand` (`ext/node/polyfills/internal/child_process.ts`) has a
priority bug: when an argument contains a `$VAR` pattern, it is wrapped in double quotes (L1290) instead of single quotes
(L1293). Double quotes in POSIX sh do not suppress backtic
GHSA
Deno has a Command Injection via Incomplete shell metacharacter blocklist in node:child_process
ghsa·2026-02-19
CVE-2026-27190 [HIGH] CWE-78 Deno has a Command Injection via Incomplete shell metacharacter blocklist in node:child_process
Deno has a Command Injection via Incomplete shell metacharacter blocklist in node:child_process
## Summary
A command injection vulnerability exists in Deno's `node:child_process` implementation.
## Reproduction
```javascript
import { spawnSync } from "node:child_process";
import * as fs from "node:fs";
// Cleanup
try { fs.unlinkSync('/tmp/rce_proof'); } catch {}
// Create legitimate script
fs.writeFileSync('/tmp/legitimate.ts', 'console.log("normal");');
// Malicious input with newline injection
const maliciousInput = `/tmp/legitimate.ts\ntouch /tmp/rce_proof`;
// Vulnerable pattern
spawnSync(Deno.execPath(), ['run', '--allow-all', maliciousInput], {
shell: true,
encoding: 'utf-8'
});
// Verify
console.log('Exploit worked:', fs.existsSync('/tmp/rce_proof'));
```
Run: `deno run --al
OSV
Deno has a Command Injection via Incomplete shell metacharacter blocklist in node:child_process
osv·2026-02-19
CVE-2026-27190 [HIGH] Deno has a Command Injection via Incomplete shell metacharacter blocklist in node:child_process
Deno has a Command Injection via Incomplete shell metacharacter blocklist in node:child_process
## Summary
A command injection vulnerability exists in Deno's `node:child_process` implementation.
## Reproduction
```javascript
import { spawnSync } from "node:child_process";
import * as fs from "node:fs";
// Cleanup
try { fs.unlinkSync('/tmp/rce_proof'); } catch {}
// Create legitimate script
fs.writeFileSync('/tmp/legitimate.ts', 'console.log("normal");');
// Malicious input with newline injection
const maliciousInput = `/tmp/legitimate.ts\ntouch /tmp/rce_proof`;
// Vulnerable pattern
spawnSync(Deno.execPath(), ['run', '--allow-all', maliciousInput], {
shell: true,
encoding: 'utf-8'
});
// Verify
console.log('Exploit worked:', fs.existsSync('/tmp/rce_proof'));
```
Run: `deno run --al
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-32260 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-32260 [HIGH] CVE-2026-32260 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32260 :
Rust vulnerability analysis and mitigation
Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.7.0 to 2.7.1, A command injection vulnerability exists in Deno's node:child_process polyfill (shell: true mode) that bypasses the fix for CVE-2026-27190. The two-stage argument sanitization in transformDenoShellCommand (ext/node/polyfills/internal/child_process.ts) has a priority bug: when an argument contains a $VAR pattern, it is wrapped in double quotes (L1290) instead of single quotes. Double quotes in POSIX sh do not suppress backtick command substitution, allowing injected commands to execute. An attacker who controls arguments passed to spawnSync or spawn with shell: true can execute arbitrary OS commands, bypassing Deno's permission system. This vulnera
Wiz
CVE-2026-27190 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-27190 [HIGH] CVE-2026-27190 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27190 :
Rust vulnerability analysis and mitigation
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.6.8, a command injection vulnerability exists in Deno's node:child_process implementation. This vulnerability is fixed in 2.6.8.
Source : NVD
## 9.8
Score
Published February 20, 2026
Severity CRITICAL
CNA Score 8.1
Affected Technologies
Rust
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 75.1
Exploitation Probability (EPSS) 0.9
Affected packages and libraries
deno
Sources
NVD
Alpine 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity CRITICAL No Fix Added at: Mar 03, 2026
Chainguard Has Fix Added at: Feb 21, 2026
Rust Severity HIGH Has Fix Added
2026-02-20
Published