NIXPKGS-2026-0334

GitHub issue published on

Permalink CVE-2026-27190

8.1 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

updated 1 month, 2 weeks ago by @LeSuisse Activity log

Created automatic suggestion 1 month, 2 weeks ago
@LeSuisse removed package speech-denoiser 1 month, 2 weeks ago
@LeSuisse removed package openimagedenoise 1 month, 2 weeks ago
@LeSuisse removed package terraform-providers.deno 1 month, 2 weeks ago
@LeSuisse removed package python312Packages.denonavr 1 month, 2 weeks ago
@LeSuisse removed package python313Packages.denonavr 1 month, 2 weeks ago
@LeSuisse removed package haskellPackages.pandoc-sidenote 1 month, 2 weeks ago
@LeSuisse removed package terraform-providers.denoland_deno 1 month, 2 weeks ago
@LeSuisse removed package gnomeExtensions.denon-avr-controler 1 month, 2 weeks ago
@LeSuisse removed package python312Packages.bnunicodenormalizer 1 month, 2 weeks ago
@LeSuisse removed package python313Packages.bnunicodenormalizer 1 month, 2 weeks ago
@LeSuisse removed package python314Packages.bnunicodenormalizer 1 month, 2 weeks ago
@LeSuisse removed package vscode-extensions.denoland.vscode-deno 1 month, 2 weeks ago
@LeSuisse removed package home-assistant-component-tests.denonavr 1 month, 2 weeks ago
@LeSuisse removed package tests.home-assistant-component-tests.denonavr 1 month, 2 weeks ago
@LeSuisse accepted 1 month, 2 weeks ago
@LeSuisse published on GitHub 1 month, 2 weeks ago

Deno has a Command Injection via Incomplete shell metacharacter blocklist in node:child_process

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.6.8, a command injection vulnerability exists in Deno's node:child_process implementation. This vulnerability is fixed in 2.6.8.

References

https://github.com/denoland/deno/security/advisories/GHSA-hmh4-3xvx-q5hr x_refsource_CONFIRM
https://github.com/denoland/deno/commit/9132ad958c83a0d0b199de12b69b877f63edab4c x_refsource_MISC
https://github.com/denoland/deno/releases/tag/v2.6.8 x_refsource_MISC

Affected products

deno

==< 2.6.8

Matching in nixpkgs

pkgs.deno

Secure runtime for JavaScript and TypeScript

nixos-unstable 2.6.9
- nixpkgs-unstable 2.6.8
- nixos-unstable-small 2.6.9
nixos-25.11 2.5.6
- nixos-25.11-small 2.5.6
- nixpkgs-25.11-darwin 2.5.6

Package maintainers

@ofalvai Olivér Falvai <ofalvai@gmail.com>
@06kellyjac Jack <hello+nixpkgs@j-k.io>

Upstream advisory: https://github.com/denoland/deno/security/advisories/GHSA-hmh4-3xvx-q5hr
Upstream patch: https://github.com/denoland/deno/commit/9132ad958c83a0d0b199de12b69b877f63edab4c

Nixpkgs security tracker

Details of issue NIXPKGS-2026-0334

References

Affected products

Matching in nixpkgs

pkgs.deno

Package maintainers