CVE-2026-32260

HIGH 8.1

Command Injection via incomplete shell metacharacter blocklist in node:child_process (bypass of CVE-2026-27190 fix)

CVSS Score

8.1

EPSS Score

0.0%

EPSS Percentile

0th

Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.7.0 to 2.7.1, A command injection vulnerability exists in Deno's node:child_process polyfill (shell: true mode) that bypasses the fix for CVE-2026-27190. The two-stage argument sanitization in transformDenoShellCommand (ext/node/polyfills/internal/child_process.ts) has a priority bug: when an argument contains a $VAR pattern, it is wrapped in double quotes (L1290) instead of single quotes. Double quotes in POSIX sh do not suppress backtick command substitution, allowing injected commands to execute. An attacker who controls arguments passed to spawnSync or spawn with shell: true can execute arbitrary OS commands, bypassing Deno's permission system. This vulnerability is fixed in 2.7.2.

CWE	CWE-78
Vendor	denoland
Product	deno
Published	Mar 12, 2026
Last Updated	Mar 13, 2026

Stay Ahead of the Next One

Get instant alerts for denoland deno

Be the first to know when new high vulnerabilities affecting denoland deno are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

denoland / deno

>= 2.7.0, < 2.7.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/denoland/deno/security/advisories/GHSA-4c96-w8v2-p28j