Nixpkgs Security Tracker

Untriaged

Permalink CVE-2026-27190

created 21 hours ago

Deno has a Command Injection via Incomplete shell metacharacter blocklist in node:child_process

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.6.8, a command injection vulnerability exists in Deno's node:child_process implementation. This vulnerability is fixed in 2.6.8.

Affected products

deno

==< 2.6.8

Matching in nixpkgs

pkgs.deno

Secure runtime for JavaScript and TypeScript

nixos-unstable 2.6.9
- nixpkgs-unstable 2.6.8
- nixos-unstable-small 2.6.9
nixos-25.11 2.5.6
- nixos-25.11-small 2.5.6
- nixpkgs-25.11-darwin 2.5.6

pkgs.speech-denoiser

Speech denoise lv2 plugin based on RNNoise library

nixos-unstable 0-unstable-2018-10-08
- nixpkgs-unstable 0-unstable-2018-10-08
- nixos-unstable-small 0-unstable-2018-10-08
nixos-25.11 0-unstable-2018-10-08
- nixos-25.11-small 0-unstable-2018-10-08
- nixpkgs-25.11-darwin 0-unstable-2018-10-08

pkgs.openimagedenoise

High-Performance Denoising Library for Ray Tracing

nixos-unstable 2.3.3
- nixpkgs-unstable 2.3.3
- nixos-unstable-small 2.3.3
nixos-25.11 2.3.3
- nixos-25.11-small 2.3.3
- nixpkgs-25.11-darwin 2.3.3

pkgs.terraform-providers.deno

None

nixos-unstable 0.1.0
- nixpkgs-unstable 0.1.0
- nixos-unstable-small 0.1.0
nixos-25.11 0.1.0
- nixos-25.11-small 0.1.0
- nixpkgs-25.11-darwin 0.1.0

pkgs.python312Packages.denonavr

Automation Library for Denon AVR receivers

nixos-25.11 1.2.0
- nixos-25.11-small 1.2.0
- nixpkgs-25.11-darwin 1.2.0

pkgs.python313Packages.denonavr

Automation Library for Denon AVR receivers

nixos-unstable 1.3.2
- nixpkgs-unstable 1.3.2
- nixos-unstable-small 1.3.2
nixos-25.11 1.2.0
- nixos-25.11-small 1.2.0
- nixpkgs-25.11-darwin 1.2.0

pkgs.haskellPackages.pandoc-sidenote

Convert Pandoc Markdown-style footnotes into sidenotes

nixos-unstable 0.23.0.0
- nixpkgs-unstable 0.23.0.0
- nixos-unstable-small 0.23.0.0
nixos-25.11 0.23.0.0
- nixos-25.11-small 0.23.0.0
- nixpkgs-25.11-darwin 0.23.0.0