CVE-2026-22864

CVE-2026-22864

Name

CVE-2026-22864

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example .BAT, .Bat, etc.). This vulnerability is fixed in 2.5.6.

NVD Severity

high

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://github.com/denoland/deno/releases/tag/v2.5.6
CONFIRM	https://github.com/denoland/deno/security/advisories/GHSA-m3c4-prhw-mrx6

Type

URI

MISC

https://github.com/denoland/deno/releases/tag/v2.5.6

CONFIRM

https://github.com/denoland/deno/security/advisories/GHSA-m3c4-prhw-mrx6

CPE URI	Source package	Min version	Max version
	deno	>= 0	< 2.5.6

CPE URI

Source package

Min version

Max version

deno

>= 0

< 2.5.6

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
deno	edge-community	2.3.1-r7	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
deno	edge-community	2.3.1-r6	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
deno	edge-community	2.3.1-r5	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
deno	edge-community	2.3.1-r4	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
deno	edge-community	2.3.1-r3	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
deno	edge-community	2.3.1-r2	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
deno	edge-community	2.3.1-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
deno	edge-community	2.3.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
deno	edge-community	2.0.6-r2	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
deno	edge-community	2.0.6-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
deno	3.23-community	2.3.1-r5	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
deno	3.23-community	2.3.1-r4	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

deno

edge-community

2.3.1-r7

Jakub Jirutka <jakub@jirutka.cz>

possibly vulnerable

deno

edge-community