CVE-2026-32260: Deno vulnerable to command Injection via incomplete shell metacharacter blocklist in node:child_process

March 13, 2026

A command injection vulnerability exists in Deno’s node:child_process polyfill (shell: true mode) that bypasses the fix for CVE-2026-27190 (GHSA-hmh4-3xvx-q5hr). An attacker who controls arguments passed to spawnSync or spawn with shell: true can execute arbitrary OS commands, bypassing Deno’s permission system.

Affected versions: Deno v2.7.0, v2.7.1

References

github.com/advisories/GHSA-4c96-w8v2-p28j
github.com/denoland/deno
github.com/denoland/deno/security/advisories/GHSA-4c96-w8v2-p28j
nvd.nist.gov/vuln/detail/CVE-2026-32260

Code Behaviors & Features

Detect and mitigate CVE-2026-32260 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →