CVE-2026-27190 — OS Command Injection in Deno

CWE-78 — OS Command Injection8 documents4 sources

Severity

9.8CRITICALNVD

EPSS

0.9%

top 24.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Deno Denoland Deno

Timeline

PublishedFeb 20

Latest updateMar 13

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.6.8, a command injection vulnerability exists in Deno's node:child_process implementation. This vulnerability is fixed in 2.6.8.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDdeno/deno2.7.0 — 2.7.2+1

▶crates.iodeno/deno2.7.0 — 2.7.2+1

▶CVEListV5denoland/deno>= 2.7.0, < 2.7.2

Patches

Patch: github.com ↗

🔴Vulnerability Details

GHSA

Deno vulnerable to command Injection via incomplete shell metacharacter blocklist in node:child_process↗2026-03-13

▶

OSV

Deno vulnerable to command Injection via incomplete shell metacharacter blocklist in node:child_process↗2026-03-13

▶

GHSA

Deno has a Command Injection via Incomplete shell metacharacter blocklist in node:child_process↗2026-02-19

▶

OSV

Deno has a Command Injection via Incomplete shell metacharacter blocklist in node:child_process↗2026-02-19

▶

🕵️Threat Intelligence

Wiz

CVE-2026-32260 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-27190 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶