CVE-2026-32260

HIGH

Deno 2.7.0-2.7.1 - Command Injection

Title source: llm

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.7.0 to 2.7.1, A command injection vulnerability exists in Deno's node:child_process polyfill (shell: true mode) that bypasses the fix for CVE-2026-27190. The two-stage argument sanitization in transformDenoShellCommand (ext/node/polyfills/internal/child_process.ts) has a priority bug: when an argument contains a $VAR pattern, it is wrapped in double quotes (L1290) instead of single quotes. Double quotes in POSIX sh do not suppress backtick command substitution, allowing injected commands to execute. An attacker who controls arguments passed to spawnSync or spawn with shell: true can execute arbitrary OS commands, bypassing Deno's permission system. This vulnerability is fixed in 2.7.2.

References (1)

Core 1

Core References

Vendor Advisory x_refsource_confirm

https://github.com/denoland/deno/security/advisories/GHSA-4c96-w8v2-p28j

Scores

CVSS v3 8.1

EPSS 0.0012

EPSS Percentile 30.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (2)

crates.io/deno 2.7.0 - 2.7.2crates.io

deno/deno 2.7.0 - 2.7.2

Published Mar 12, 2026

Tracked Since Mar 13, 2026