Command Injection Vulnerability in Deno Runtime by DenoLand
CVE-2026-32260

8.1HIGH

Key Information:

Vendor: Denoland
Status: Deno
Vendor: CVE Published:; 12 March 2026

What is CVE-2026-32260?

A command injection vulnerability exists in the Deno Runtime's node:child_process polyfill in shell: true mode. This issue affects versions 2.7.0 and 2.7.1, where the argument sanitization process within transformDenoShellCommand fails to properly handle arguments containing a $VAR pattern. The use of double quotes instead of single quotes allows for backtick command substitution in POSIX sh, enabling an attacker who can manipulate arguments to spawnSync or spawn to execute arbitrary operating system commands, circumventing the Deno permission model. The issue has been addressed in version 2.7.2.

Affected Version(s)

deno >= 2.7.0, < 2.7.2

References

https://github.com/denoland/deno/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 12, 2026
Vulnerability Reserved
Mar 11, 2026

CVE-2026-32260 Data

JSON

Denoland

What is CVE-2026-32260?

Affected Version(s)

References

CVSS V3.1

Timeline