CVE Catalog

CVE-2026-49402

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.27%

18th percentile — higher than 18% of all known CVEs

Summary

In Deno before version 2.7.10, the escapeShellArg() function in the node:child_process implementation improperly handled cmd.exe special characters on Windows. An attacker controlling part of an argument passed to spawn() or exec() with shell:true could inject additional commands.

Risk Assessment

The risk is the possibility of remote arbitrary command execution on Windows by an attacker who influences arguments passed to child processes spawned by Deno.

Recommendation

Update Deno to version 2.7.10 or later immediately. In the meantime, avoid using shell:true in spawn/exec calls on Windows systems.

Original NVD description (English source)

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.10, Deno's node:child_process implementation provided an escapeShellArg() helper used when callers passed shell: true to spawn / spawnSync / exec and friends. On Windows, the helper failed to quote arguments that contained cmd.exe metacharacters and did not neutralize % (which cmd.exe expands even inside double-quoted strings). An attacker who controlled any portion of an argument passed to such a call could inject arbitrary additional commands into the spawned cmd.exe invocation. This vulnerability is fixed in 2.7.10.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS