CVE-2026-49401

CVE-2026-49401CVE-2026-49401

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.14, Deno's permission system enforces filesystem and execution restrictions by comparing the requested path against the path supplied to --deny-read, --deny-write, --deny-run, or --deny-ffi. On macOS, that comparison was done at the raw-byte level while the APFS filesystem treats different Unicode spellings of the same name as the same file. That means a program could reach a denied path by spelling it differently than the deny rule. This vulnerability is fixed in 2.7.14.

Scoring

CVSS 7.3 ()
VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N
Last modified2026-06-23
Sourced from NVD. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.