CVE-2026-32260
Published: 12 March 2026
Summary
CVE-2026-32260 is a high-severity OS Command Injection (CWE-78) vulnerability in Deno Deno. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely remediation through patching to Deno 2.7.2 or later, addressing the specific command injection flaw.
Requires validation and sanitization of user-controlled arguments passed to spawnSync or spawn with shell: true, preventing injection via backtick command substitution in double-quoted strings.
Enables real-time monitoring of system processes and command executions to identify anomalous OS command activity resulting from successful exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote command injection for arbitrary OS command execution via Unix Shell (POSIX sh) in public-facing Deno applications using spawn/spawnSync with shell: true.
NVD Description
Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.7.0 to 2.7.1, A command injection vulnerability exists in Deno's node:child_process polyfill (shell: true mode) that bypasses the fix for CVE-2026-27190. The two-stage argument sanitization in transformDenoShellCommand (ext/node/polyfills/internal/child_process.ts) has a priority…
more
bug: when an argument contains a $VAR pattern, it is wrapped in double quotes (L1290) instead of single quotes. Double quotes in POSIX sh do not suppress backtick command substitution, allowing injected commands to execute. An attacker who controls arguments passed to spawnSync or spawn with shell: true can execute arbitrary OS commands, bypassing Deno's permission system. This vulnerability is fixed in 2.7.2.
Deeper analysisAI
CVE-2026-32260 is a command injection vulnerability in Deno, a JavaScript, TypeScript, and WebAssembly runtime. It affects versions 2.7.0 through 2.7.1 in the node:child_process polyfill when operating in shell: true mode. The issue stems from a priority bug in the two-stage argument sanitization within transformDenoShellCommand (ext/node/polyfills/internal/child_process.ts), where arguments containing a $VAR pattern are wrapped in double quotes rather than single quotes. Double quotes in POSIX sh fail to suppress backtick command substitution, enabling injected commands to execute and bypassing the fix for the related CVE-2026-27190. The vulnerability is classified under CWE-78 with a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
An attacker who controls the arguments passed to spawnSync or spawn with shell: true can exploit this vulnerability over the network with high attack complexity but no privileges or user interaction required. Successful exploitation allows execution of arbitrary operating system commands, circumventing Deno's permission system and potentially leading to high-impact confidentiality, integrity, and availability compromises on the targeted system.
The official GitHub Security Advisory (GHSA-4c96-w8v2-p28j) confirms the vulnerability and states it is fixed in Deno version 2.7.2. Security practitioners should upgrade to 2.7.2 or later to mitigate the issue.
Details
- CWE(s)