CVE-2026-22864

← CVEs

HIGH 8.1

Published

2026-01-15

Last Modified

2026-01-21

Affected Apps

Affected Devices

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example .BAT, .Bat, etc.). This vulnerability is fixed in 2.5.6.

Affected Applications in Environment 5

9 devices

8 devices

9 devices

2 devices

1 device

Affected Devices 29

ATWOOD-PD-BSMTH Windows BUGLAB-188420 Windows CAPS-1CR0NH3 Windows DESKTOP-D7VPBP1 Windows DESKTOP-JI1MGL6 Windows DPADVS-3N9RCB4 Windows DPADVS-A8191ZBY Windows DPADVS-L2273Y4T Windows DPAPSB-9BPL3Q3 Windows DPDNNR-MZ0288MB Windows DPDNNR-PF4YDCYX Windows DPDNNR-PW0E0LYA Windows DPDNNR-YLT0LHMW Windows DPFCHD-CNZ6T34 Windows DPINTC-N0120809 Windows DPMATH-MZ01HEM3 Windows DPMATH-MZ0290D7 Windows GISTL22509 Windows GISTL225A05 Windows GISTL225A31 Windows LGN-ENGR-106 Windows LGN-MAIN-229A Windows LUTZLAB-MXL9112 Windows RVSSCI2210-01 Windows STUBER-GRAD-755 Windows USU-44825594057 Windows USULOAN345 Windows USULOAN379 Windows USULOAN501 Windows

References 2