Arbitrary Command Injection in Deno JavaScript Runtime
CVE-2026-49402

8.1HIGH

Key Information:

Vendor: Denoland
Status: Deno
Vendor: CVE Published:; 23 June 2026

What is CVE-2026-49402?

The Deno JavaScript runtime, prior to version 2.7.10, contained a flaw in its node:child_process implementation. When the 'shell: true' option was used with functions like spawn, spawnSync, or exec, the escapeShellArg() helper did not properly quote arguments containing cmd.exe metacharacters and failed to neutralize the '%' character, leading to potential command injection. Attackers who could manipulate input arguments could inject arbitrary commands into the spawned cmd.exe context. This issue has been addressed in the updated version 2.7.10.

Affected Version(s)

deno < 2.7.10

References

https://github.com/denoland/deno/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
May 29, 2026

CVE-2026-49402 Data

JSON

Denoland

What is CVE-2026-49402?

Affected Version(s)

References

CVSS V3.1

Timeline