CVE-2026-32260

HighPublic PoC

Published: 12 March 2026

Published

12 March 2026

Modified

18 March 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 29.6th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.7.0 to 2.7.1, A command injection vulnerability exists in Deno's node:child_process polyfill (shell: true mode) that bypasses the fix for CVE-2026-27190. The two-stage argument sanitization in transformDenoShellCommand (ext/node/polyfills/internal/child_process.ts) has a priority…

bug: when an argument contains a $VAR pattern, it is wrapped in double quotes (L1290) instead of single quotes. Double quotes in POSIX sh do not suppress backtick command substitution, allowing injected commands to execute. An attacker who controls arguments passed to spawnSync or spawn with shell: true can execute arbitrary OS commands, bypassing Deno's permission system. This vulnerability is fixed in 2.7.2.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the vulnerability by requiring timely remediation through patching to Deno 2.7.2 or later, addressing the specific command injection flaw.

SI-10 Information Input Validation good match

prevent

Requires validation and sanitization of user-controlled arguments passed to spawnSync or spawn with shell: true, preventing injection via backtick command substitution in double-quoted strings.

SI-4 System Monitoring partial match

detect

Enables real-time monitoring of system processes and command executions to identify anomalous OS command activity resulting from successful exploitation.

Security SummaryAI

CVE-2026-32260 is a command injection vulnerability in Deno, a JavaScript, TypeScript, and WebAssembly runtime. It affects versions 2.7.0 through 2.7.1 in the node:child_process polyfill when operating in shell: true mode. The issue stems from a priority bug in the two-stage argument sanitization within transformDenoShellCommand (ext/node/polyfills/internal/child_process.ts), where arguments containing a $VAR pattern are wrapped in double quotes rather than single quotes. Double quotes in POSIX sh fail to suppress backtick command substitution, enabling injected commands to execute and bypassing the fix for the related CVE-2026-27190. The vulnerability is classified under CWE-78 with a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

An attacker who controls the arguments passed to spawnSync or spawn with shell: true can exploit this vulnerability over the network with high attack complexity but no privileges or user interaction required. Successful exploitation allows execution of arbitrary operating system commands, circumventing Deno's permission system and potentially leading to high-impact confidentiality, integrity, and availability compromises on the targeted system.

The official GitHub Security Advisory (GHSA-4c96-w8v2-p28j) confirms the vulnerability and states it is fixed in Deno version 2.7.2. Security practitioners should upgrade to 2.7.2 or later to mitigate the issue.

Details

CWE(s): CWE-78

Affected Products

deno

2.7.0 — 2.7.2

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Vulnerability enables remote command injection for arbitrary OS command execution via Unix Shell (POSIX sh) in public-facing Deno applications using spawn/spawnSync with shell: true.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/denoland/deno/security/advisories/GHSA-4c96-w8v2-p28j
Mitigation, Vendor Advisory, Exploit · security-advisories@github.com