Cyber Resilience

CVE-2026-32260

HighPublic PoCRCE

Published: 12 March 2026

Published
12 March 2026
Modified
18 March 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0148 70.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32260 is a high-severity OS Command Injection (CWE-78) vulnerability in Deno Deno. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-32260 is a command injection vulnerability in Deno, a JavaScript, TypeScript, and WebAssembly runtime. It affects versions 2.7.0 through 2.7.1 in the node:child_process polyfill when operating in shell: true mode. The issue stems from a priority bug in the two-stage argument sanitization within transformDenoShellCommand (ext/node/polyfills/internal/child_process.ts), where arguments containing a $VAR pattern are wrapped in double quotes rather than single quotes. Double quotes in POSIX sh fail to suppress backtick command substitution, enabling injected commands to execute and bypassing the fix for the related CVE-2026-27190. The vulnerability is classified under CWE-78 with a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

An attacker who controls the arguments passed to spawnSync or spawn with shell: true can exploit this vulnerability over the network with high attack complexity but no privileges or user interaction required. Successful exploitation allows execution of arbitrary operating system commands, circumventing Deno's permission system and potentially leading to high-impact confidentiality, integrity, and availability compromises on the targeted system.

The official GitHub Security Advisory (GHSA-4c96-w8v2-p28j) confirms the vulnerability and states it is fixed in Deno version 2.7.2. Security practitioners should upgrade to 2.7.2 or later to mitigate the issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.7.0 to 2.7.1, A command injection vulnerability exists in Deno's node:child_process polyfill (shell: true mode) that bypasses the fix for CVE-2026-27190. The two-stage argument sanitization in transformDenoShellCommand (ext/node/polyfills/internal/child_process.ts) has a priority…

more

bug: when an argument contains a $VAR pattern, it is wrapped in double quotes (L1290) instead of single quotes. Double quotes in POSIX sh do not suppress backtick command substitution, allowing injected commands to execute. An attacker who controls arguments passed to spawnSync or spawn with shell: true can execute arbitrary OS commands, bypassing Deno's permission system. This vulnerability is fixed in 2.7.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Vulnerability enables remote command injection for arbitrary OS command execution via Unix Shell (POSIX sh) in public-facing Deno applications using spawn/spawnSync with shell: true.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27190Same product: Deno Deno
CVE-2026-22863Same product: Deno Deno
CVE-2026-22864Same product: Deno Deno
CVE-2025-61787Same product: Deno Deno
CVE-2018-25115Shared CWE-78
CVE-2025-24382Shared CWE-78
CVE-2026-29058Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2024-46484Shared CWE-78
CVE-2015-10145Shared CWE-78

Affected Assets

deno
deno
2.7.0 — 2.7.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely remediation through patching to Deno 2.7.2 or later, addressing the specific command injection flaw.

prevent

Requires validation and sanitization of user-controlled arguments passed to spawnSync or spawn with shell: true, preventing injection via backtick command substitution in double-quoted strings.

detect

Enables real-time monitoring of system processes and command executions to identify anomalous OS command activity resulting from successful exploitation.

References