Back to Vulnerability List

Deno Land: Deno: Command Injection in node:child_process via Newline in Argv

CVE-2026-27190 High Published

CVSS

8.1 High · Network · No PR

EPSS

0.00868 0.9% chance of exploit in 30d

CWE

CWE-78 OS Command Injection

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

Per GHSA-hmh4-3xvx-q5hr: “A command injection vulnerability exists in Deno’s node:child_process implementation.” The GHSA’s reproduction shows the bypass: a newline embedded in an argv value (e.g. ‘/tmp/legitimate.tsntouch /tmp/rce_proof’) passed to spawnSync with `shell: true` results in the appended command being executed.

Affected Packages / Versions

Package: deno (—)
Latest published version at triage time: Prior to 2.6.8
Affected range: Per GHSA-hmh4-3xvx-q5hr: deno < 2.6.8
Patched version: Deno 2.6.8

Impact

Per GHSA: command injection in any Deno program that passes untrusted input through node:child_process with shell: true. The GHSA’s PoC demonstrates arbitrary command execution via newline injection.

Severity Rationale

GHSA severity: HIGH. NVD CVSS 8.1 (High): network AV, high complexity (the vulnerable code path requires shell: true and attacker-controlled argv), no privileges, no UI, full CIA.

Fix

Per GHSA: upgrade to Deno 2.6.8“ or later. Fix commit linked below.

Disclosure timeline

TBDReported to vendor
TBDPatch released (Deno 2.6.8)
Feb 19, 2026GHSA-hmh4-3xvx-q5hr published

Fix Commit(s)

9132ad958c83

References

Discovered by Adnan Jakati (Praetorian) — per cve-research listing · Published April 29, 2026

Praetorian Guard Platform

Penetration Testing Services

Advanced Offensive Security

Continuous Offensive Security

Customer Case Studies

Resources

Use Cases

About Praetorian

Join Praetorian