CVE-2026-49402

Deno is affected by CVE-2026-49402 on Windows when using node:child_process with shell: true. The escapeShellArg() helper failed to properly quote arguments containing cmd.exe metacharacters (e.g., &, |, , ^, !, (, )), and did not neutralize % inside double-quoted strings. This allowed an attacke...

CVE-2026-49402 Deno: Command Injection via spawnSync & spawn on Windows

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.10, Deno's node:childprocess implementation provided an escapeShellArg helper used when callers passed shell: true to spawn / spawnSync / exec and friends. On Windows, the helper failed to quote arguments that contained cmd.e...

PT-2024-4625 · Node.Js +1 · Node.Js +1

Name of the Vulnerable Software and Affected Versions: Node.js versions up to 18.20.3 Node.js versions up to 20.15.0 Node.js versions up to 22.4.0 Description: The issue arises from improper handling of batch files with all possible extensions on Windows via child process.spawn / child...

OS Command Execution

HFS is vulnerable to OS Command Execution. The vulnerability is due to using execSync instead of spawnSync in a childprocess to execute the df shell command, which allows an attacker to execute OS commands remotely via the file upload feature...

CVE-2024-39943

rejetto HFS aka HTTP File Server 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users if they have Upload permissions. This occurs because a shell is used to execute df i.e., with execSync instead of spawnSync in childprocess in Node.js...

PT-2024-5241 · Node.Js +1 · Node.Js +1

Name of the Vulnerable Software and Affected Versions: Node.js versions 18.x, 20.x, and 21.x Description: The issue is related to the improper handling of batch files in child process.spawn and child process.spawnSync on Windows platforms. This allows a malicious command line argument to inject...