PT-2026-3146 · Deno · Deno
Sharokhataie
·
Published
2026-01-15
·
Updated
2026-04-14
·
CVE-2026-22864
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Deno versions prior to 2.5.6
Description
Deno is a JavaScript, TypeScript, and WebAssembly runtime. A previous attempt to prevent the execution of Windows batch and shell files by checking file extensions (.bat or .cmd) was ineffective due to a case-sensitive comparison. This allowed bypassing the restriction by using alternate casing for the file extension (e.g., .BAT, .Bat). The issue is addressed in version 2.5.6.
Recommendations
Update to Deno version 2.5.6 or later.
Exploit
Fix
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Deno