CVE-2026-22864CRITICAL 9.8EPSS p44.9%

CVE-2026-22864CVE-2026-22864

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example .BAT, .Bat, etc.). This vulnerability is fixed in 2.5.6.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.62% probability of exploitation · percentile 44.9% · 2026-06-19T12:03:05Z
Published2026-01-15
Last modified2026-01-21

Underlying weaknesses· 1

CWE-77

References

  1. https://github.com/denoland/deno/releases/tag/v2.5.6
  2. https://github.com/denoland/deno/security/advisories/GHSA-m3c4-prhw-mrx6

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in a Command ('Command Injection')cwe-770%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-61787
CVE
CVE-2026-32260
CVE
CVE-2026-27190
CVE
CVE-2025-48935
CVE
CVE-2026-29610
CVE
CVE-2026-42906
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.