CVE-2026-49402
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk18th percentile — higher than 18% of all known CVEs
Summary
In Deno before version 2.7.10, the escapeShellArg() function in the node:child_process implementation improperly handled cmd.exe special characters on Windows. An attacker controlling part of an argument passed to spawn() or exec() with shell:true could inject additional commands.
Risk Assessment
The risk is the possibility of remote arbitrary command execution on Windows by an attacker who influences arguments passed to child processes spawned by Deno.
Recommendation
Update Deno to version 2.7.10 or later immediately. In the meantime, avoid using shell:true in spawn/exec calls on Windows systems.
Original NVD description (English source)
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.10, Deno's node:child_process implementation provided an escapeShellArg() helper used when callers passed shell: true to spawn / spawnSync / exec and friends. On Windows, the helper failed to quote arguments that contained cmd.exe metacharacters and did not neutralize % (which cmd.exe expands even inside double-quoted strings). An attacker who controlled any portion of an argument passed to such a call could inject arbitrary additional commands into the spawned cmd.exe invocation. This vulnerability is fixed in 2.7.10.

