CVE-2026-22864 — HIGH (8.1)

Q: How severe is CVE-2026-22864?

CVE-2026-22864 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-22864?

Check the references section above for vendor advisories and patch information. Affected products include: Deno Deno.

Vulnerability Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example .BAT, .Bat, etc.). This vulnerability is fixed in 2.5.6.

CVSS Score

8.1

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Deno	Deno	< 2.5.6

Related Weaknesses (CWE)

CWE-77

References

https://github.com/denoland/deno/releases/tag/v2.5.6Release Notes
https://github.com/denoland/deno/security/advisories/GHSA-m3c4-prhw-mrx6ExploitVendor Advisory

FAQ

What is CVE-2026-22864?

CVE-2026-22864 is a vulnerability with a CVSS score of 8.1 (HIGH). Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched ....

How severe is CVE-2026-22864?

CVE-2026-22864 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-22864?

Check the references section above for vendor advisories and patch information. Affected products include: Deno Deno.