CVE-2026-27190

HighPublic PoC

Published: 20 February 2026

Published

20 February 2026

Modified

02 March 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0091 75.9th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.6.8, a command injection vulnerability exists in Deno's node:child_process implementation. This vulnerability is fixed in 2.6.8.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely remediation of the command injection flaw in Deno's node:child_process by upgrading to version 2.6.8 or later.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Vulnerability scanning identifies systems running vulnerable Deno versions prior to 2.6.8 affected by this CVE.

CM-10 Software Usage Restrictions partial match

prevent

Restricts execution and deployment of unapproved vulnerable Deno versions, limiting exposure to the command injection vulnerability.

Security SummaryAI

CVE-2026-27190 is a command injection vulnerability (CWE-78) in the node:child_process implementation of Deno, a runtime for JavaScript, TypeScript, and WebAssembly. The issue affects Deno versions prior to 2.6.8, as disclosed on February 20, 2026, with a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to potential high impacts on confidentiality, integrity, and availability.

Attackers can exploit this vulnerability remotely over the network without privileges or user interaction, though it requires high attack complexity. Successful exploitation enables command injection, allowing attackers to execute arbitrary commands on the host system, potentially leading to full remote code execution, data compromise, or system disruption within the Deno runtime environment.

Deno's security advisory (GHSA-hmh4-3xvx-q5hr) and release notes confirm the vulnerability is fixed in version 2.6.8. Mitigation involves upgrading to Deno 2.6.8 or later, with the specific patch detailed in commit 9132ad958c83a0d0b199de12b69b877f63edab4c available on the project's GitHub repository.

Details

CWE(s): CWE-78

Affected Products

deno

≤ 2.6.8

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

Command injection vulnerability in Deno's child_process enables remote exploitation of public-facing applications (T1190) for arbitrary OS command execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/denoland/deno/commit/9132ad958c83a0d0b199de12b69b877f63edab4c
Patch · security-advisories@github.com
https://github.com/denoland/deno/releases/tag/v2.6.8
Product, Release Notes · security-advisories@github.com
https://github.com/denoland/deno/security/advisories/GHSA-hmh4-3xvx-q5hr
Exploit, Vendor Advisory · security-advisories@github.com