Skip to main content

Deno CVE-2026-27190

HIGH
OS Command Injection (CWE-78)
2026-02-20 security-advisories@github.com GHSA-hmh4-3xvx-q5hr
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 12, 2026 - 22:04 vuln.today
PoC Detected
Mar 02, 2026 - 13:35 vuln.today
Public exploit code
Patch released
Mar 02, 2026 - 13:35 nvd
Patch available
CVE Published
Feb 20, 2026 - 21:19 nvd
HIGH 8.1

DescriptionGitHub Advisory

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.6.8, a command injection vulnerability exists in Deno's node:child_process implementation. This vulnerability is fixed in 2.6.8.

AnalysisAI

Command injection in Deno versions prior to 2.6.8 allows unauthenticated remote attackers to execute arbitrary commands through the node:child_process implementation. Public exploit code exists for this vulnerability, which carries a CVSS score of 8.1 and affects the confidentiality, integrity, and availability of affected systems. Users should upgrade to Deno 2.6.8 or later to remediate this risk.

Technical ContextAI

Classified as CWE-78 (OS Command Injection). Affects Deno. Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.6.8, a command injection vulnerability exists in Deno's node:child_process implementation. This vulnerability is fixed in 2.6.8.

RemediationAI

A vendor patch is available — apply it immediately. Fixed in version 2.6.8.. Restrict network access to the affected service where possible.

More in Deno

View all
CVE-2025-48935 CRITICAL POC
9.1 Jun 04

Deno versions 2.2.0 through 2.2.4 contain an authorization bypass vulnerability in SQLite database handling that allows

CVE-2024-27934 HIGH POC
8.8 Mar 21

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Rated high severity (CVSS 8.8), this vulnerability is low att

CVE-2024-27933 HIGH POC
8.8 Mar 21

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Rated high severity (CVSS 8.8), this vulnerability is low att

CVE-2023-28446 HIGH POC
8.8 Mar 24

Deno is a simple, modern and secure runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Rated high

CVE-2024-27935 HIGH POC
8.3 Mar 21

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Rated high severity (CVSS 8.3), this vulnerability is remotel

CVE-2026-22864 HIGH POC
8.1 Jan 15

Arbitrary code execution in Deno runtime versions before 2.5.6 allows unauthenticated attackers to bypass shell script e

CVE-2026-22863 HIGH POC
7.5 Jan 15

Deno versions up to 2.6.0 contains a vulnerability that allows attackers to have infinite encryptions (CVSS 7.5).

CVE-2023-26103 HIGH POC
7.5 Feb 25

Versions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the upg

CVE-2023-22499 HIGH POC
7.5 Jan 17

Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Rated high severity (CVSS 7.5), this

CVE-2024-32477 HIGH POC
7.4 Apr 18

Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Rated high severity (CVSS 7.4), this vul

CVE-2024-27936 MEDIUM POC
6.5 Mar 21

Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Rated medium severity (CVSS 6.5), this v

CVE-2024-27931 MEDIUM POC
6.5 Mar 05

Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Rated medium severity (CVSS 6.5), this v

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-27190 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy