CVE-2026-27190

HIGH

Deno <2.6.8 - Command Injection

Title source: llm

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.6.8, a command injection vulnerability exists in Deno's node:child_process implementation. This vulnerability is fixed in 2.6.8.

References (3)

[Patch] https://github.com/denoland/deno/commit/9132ad958c83a0d0b199de12b69b877f63edab4c

View Patch ZIP pw:eip

[Vendor Advisory] https://github.com/denoland/deno/security/advisories/GHSA-hmh4-3xvx-q5hr

[Release Notes] https://github.com/denoland/deno/releases/tag/v2.6.8

Scores

CVSS v3 8.1

EPSS 0.0078

EPSS Percentile 73.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-78

Status published

Affected Products (1)

deno/deno < 2.6.8

Timeline

Published Feb 20, 2026

Tracked Since Feb 21, 2026