CVE-2026-22864
CVE-2026-22864 is a high-severity vulnerability in Deno with a CVSS 3.x base score of 8.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-77.
Key facts
- Severity: High (CVSS 3.x base score 8.1)
- EPSS exploit prediction: 1% (45th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-2935
- Weakness: CWE-77
- Affected product: Deno
- Published:
- Last modified:
Description
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example .BAT, .Bat, etc.). This vulnerability is fixed in 2.5.6.
Frequently asked questions
- What is CVE-2026-22864?
- Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example .BAT, .Bat, etc.). This vulnerability is fixed in 2.5.6.
- How severe is CVE-2026-22864?
- CVE-2026-22864 has a CVSS 3.x base score of 8.1, rated high severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2026-22864 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (45th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-22864?
- CVE-2026-22864 affects Deno. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-22864?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2026-22864 have an EU (EUVD) identifier?
- Yes. CVE-2026-22864 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-2935.
- When was CVE-2026-22864 published?
- CVE-2026-22864 was published on 2026-01-15 and last updated on 2026-06-17.
References
- https://github.com/denoland/deno/releases/tag/v2.5.6
- https://github.com/denoland/deno/security/advisories/GHSA-m3c4-prhw-mrx6
Affected products (1)
- cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*
More vulnerabilities in Deno
- CVE-2022-24783 — Critical (CVSS 10.0): Deno is a runtime for JavaScript and TypeScript. The versions of Deno between release 1.18.0 and 1.20.2 (inclusive) are…
- CVE-2023-28445 — Critical (CVSS 9.9): Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Resizable ArrayBuffers passed to…
- CVE-2021-32619 — Critical (CVSS 9.8): Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. In Deno versions 1.5.0 to 1.10.1,…
- CVE-2025-48935 — Critical (CVSS 9.1): Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 2.2.0 and prior to versions 2.2.5, it is…
- CVE-2024-27936 — High (CVSS 8.8): Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Starting in version 1.32.1 and prior to…
- CVE-2023-28446 — High (CVSS 8.8): Deno is a simple, modern and secure runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Arbitrary…
Other CWE-77 (Command Injection) vulnerabilities
- CVE-2026-23652 — Critical (CVSS 10.0): Improper neutralization of special elements used in a command ('command injection') in Microsoft Power Pages allows an…
- CVE-2025-59818 — Critical (CVSS 10.0): This vulnerability allows authenticated attackers to execute arbitrary commands on the underlying system using the file…
- CVE-2025-64093 — Critical (CVSS 10.0): Remote Code Execution vulnerability that allows unauthenticated attackers to inject arbitrary commands into the…
- CVE-2025-64090 — Critical (CVSS 10.0): This vulnerability allows authenticated attackers to execute commands via the hostname of the device.
- CVE-2025-61492 — Critical (CVSS 10.0): A command injection vulnerability in the execute_command function of terminal-controller-mcp 0.1.7 allows attackers to…
- CVE-2025-10035 — Critical (CVSS 10.0): A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged…