Filesystem and Execution Vulnerability in Deno Runtime
CVE-2026-49401

7.3HIGH

Key Information:

Vendor: Denoland
Status: Deno
Vendor: CVE Published:; 23 June 2026

What is CVE-2026-49401?

Deno, a popular JavaScript, TypeScript, and WebAssembly runtime, has a vulnerability within its permission system. Before version 2.7.14, it incorrectly enforced filesystem and execution restrictions by comparing requested paths with the paths defined in its deny rules. On macOS systems, this comparison was made at the raw-byte level, which posed a risk due to the APFS filesystem's handling of different Unicode spellings of file names. This inconsistency could allow malicious programs to bypass restrictions and access forbidden paths by exploiting variations in file name encodings.

Affected Version(s)

deno < 2.7.14

References

https://github.com/denoland/deno/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
May 29, 2026

CVE-2026-49401 Data

JSON

Denoland

What is CVE-2026-49401?

Affected Version(s)

References

CVSS V3.1

Timeline