CVE-2026-49402 Deno: Command Injection via spawnSync & spawn on Windows

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.10, Deno's node:childprocess implementation provided an escapeShellArg helper used when callers passed shell: true to spawn / spawnSync / exec and friends. On Windows, the helper failed to quote arguments that contained cmd.e...

CVE-2026-28391

OpenClaw versions prior to 2026.2.2 fail to properly validate Windows cmd.exe metacharacters in allowlist-gated exec requests non-default configuration, allowing attackers to bypass command approval restrictions. Remote attackers can craft command strings with shell metacharacters like & or %...%...