{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27190", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-18T19:47:02.154Z", "datePublished": "2026-02-20T20:52:11.468Z", "dateUpdated": "2026-02-24T18:30:43.652Z"}, "containers": {"cna": {"title": "Deno has a Command Injection via Incomplete shell metacharacter blocklist in node:child_process", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/denoland/deno/security/advisories/GHSA-hmh4-3xvx-q5hr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/denoland/deno/security/advisories/GHSA-hmh4-3xvx-q5hr"}, {"name": "https://github.com/denoland/deno/commit/9132ad958c83a0d0b199de12b69b877f63edab4c", "tags": ["x_refsource_MISC"], "url": "https://github.com/denoland/deno/commit/9132ad958c83a0d0b199de12b69b877f63edab4c"}, {"name": "https://github.com/denoland/deno/releases/tag/v2.6.8", "tags": ["x_refsource_MISC"], "url": "https://github.com/denoland/deno/releases/tag/v2.6.8"}], "affected": [{"vendor": "denoland", "product": "deno", "versions": [{"version": "< 2.6.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-20T20:52:11.468Z"}, "descriptions": [{"lang": "en", "value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.6.8, a command injection vulnerability exists in Deno's node:child_process implementation. This vulnerability is fixed in 2.6.8."}], "source": {"advisory": "GHSA-hmh4-3xvx-q5hr", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T18:30:23.207545Z", "id": "CVE-2026-27190", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T18:30:43.652Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27190", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-24T18:30:23.207545Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T18:30:32.566Z"}}], "cna": {"title": "Deno has a Command Injection via Incomplete shell metacharacter blocklist in node:child_process", "source": {"advisory": "GHSA-hmh4-3xvx-q5hr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "denoland", "product": "deno", "versions": [{"status": "affected", "version": "< 2.6.8"}]}], "references": [{"url": "https://github.com/denoland/deno/security/advisories/GHSA-hmh4-3xvx-q5hr", "name": "https://github.com/denoland/deno/security/advisories/GHSA-hmh4-3xvx-q5hr", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/denoland/deno/commit/9132ad958c83a0d0b199de12b69b877f63edab4c", "name": "https://github.com/denoland/deno/commit/9132ad958c83a0d0b199de12b69b877f63edab4c", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/denoland/deno/releases/tag/v2.6.8", "name": "https://github.com/denoland/deno/releases/tag/v2.6.8", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.6.8, a command injection vulnerability exists in Deno's node:child_process implementation. This vulnerability is fixed in 2.6.8."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-20T20:52:11.468Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27190", "state": "PUBLISHED", "dateUpdated": "2026-02-24T18:30:43.652Z", "dateReserved": "2026-02-18T19:47:02.154Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-20T20:52:11.468Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*", "matchCriteriaId": "EC88416B-4E66-4B72-B9D6-AB4590EAB1A2", "versionEndExcluding": "2.6.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.6.8, a command injection vulnerability exists in Deno's node:child_process implementation. This vulnerability is fixed in 2.6.8."}, {"lang": "es", "value": "Deno es un entorno de ejecuci\u00f3n de JavaScript, TypeScript y WebAssembly. Antes de la versi\u00f3n 2.6.8, existe una vulnerabilidad de inyecci\u00f3n de comandos en la implementaci\u00f3n de node:child_process de Deno. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 2.6.8."}], "id": "CVE-2026-27190", "lastModified": "2026-03-02T13:35:52.260", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-20T21:19:28.090", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/denoland/deno/commit/9132ad958c83a0d0b199de12b69b877f63edab4c"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/denoland/deno/releases/tag/v2.6.8"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/denoland/deno/security/advisories/GHSA-hmh4-3xvx-q5hr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.6.8)"}}], "enrichment": {"confidence": 82.0, "confidence_source": "matching", "scores": [{"score": 82.0, "source": "matching"}]}, "original": {"product": "deno", "source": "cna", "vendor": "denoland"}, "product": "deno", "vendor": "deno"}], "analysis": {"en": {"generated_at": "2026-04-17T17:12:08.073957+00:00", "value": {"mitigation_remediation": ["Upgrade Deno to version 2.6.8 or newer to apply the vendor patch", "If an upgrade is not immediately possible, avoid using node:child_process or remove any untrusted input from command arguments", "Ensure that all inputs passed to child_process are properly validated or sanitized before use"], "summary": {"action": "Immediate Patch", "impact": "Command Injection leading to arbitrary code execution"}, "threat_synthesis": {"affected_systems": "The issue affects the denoland:deno runtime packages that use the node:child_process module. All releases prior to v2.6.8 are vulnerable. The fix was applied in the v2.6.8 release and later versions are considered safe.", "description_and_impact": "The vulnerability arises from an incomplete blocklist of shell metacharacters in Deno's node:child_process implementation. When an untrusted input can be supplied to the child_process APIs, the attacker can insert shell metacharacters that are not properly filtered, enabling arbitrary shell command execution. This flaw belongs to CWE\u201178 and can compromise confidentiality, integrity, and availability of the system if an untrusted payload is executed.", "risk_and_exploitability": "The CVSS v3.1 score is 8.1, marking it as high severity. The EPSS score is below 1\u202f%, indicating a low current exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog. The attack vector would typically involve an application that spawns shell commands and processes user\u2011 supplied data. Because child_process is a local API, the attacker would need access to run code in the Deno process, but once inside, arbitrary system commands could be executed."}}}}, "created": "2026-02-23T14:35:12.422757+00:00", "updated": "2026-04-17T17:15:23.724615+00:00", "vendors": ["deno", "deno$PRODUCT$deno"]}