Vulnerability Description
Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.7.0 to 2.7.1, A command injection vulnerability exists in Deno's node:child_process polyfill (shell: true mode) that bypasses the fix for CVE-2026-27190. The two-stage argument sanitization in transformDenoShellCommand (ext/node/polyfills/internal/child_process.ts) has a priority bug: when an argument contains a $VAR pattern, it is wrapped in double quotes (L1290) instead of single quotes. Double quotes in POSIX sh do not suppress backtick command substitution, allowing injected commands to execute. An attacker who controls arguments passed to spawnSync or spawn with shell: true can execute arbitrary OS commands, bypassing Deno's permission system. This vulnerability is fixed in 2.7.2.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Deno | Deno | >= 2.7.0, < 2.7.2 |
Related Weaknesses (CWE)
References
- https://github.com/denoland/deno/security/advisories/GHSA-4c96-w8v2-p28jMitigationVendor AdvisoryExploit
FAQ
What is CVE-2026-32260?
CVE-2026-32260 is a vulnerability with a CVSS score of 8.1 (HIGH). Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.7.0 to 2.7.1, A command injection vulnerability exists in Deno's node:child_process polyfill (shell: true mode) that bypasses the fix...
How severe is CVE-2026-32260?
CVE-2026-32260 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32260?
Check the references section above for vendor advisories and patch information. Affected products include: Deno Deno.