| CVE-2022-24783 |
critical |
— |
9.5 |
4y ago |
Sandbox bypass leading to arbitrary code execution in Deno |
|
| CVE-2021-32619 |
critical |
— |
9.5 |
5y ago |
Deno's static imports inside dynamically imported modules do not adhere to permission checks |
|
| CVE-2026-44726 |
high |
— |
8.0 |
7h ago |
Deno's TLS retry copies stale upgrade hook, risking plaintext traffic |
|
| CVE-2026-32260 |
unknown |
— |
— |
3mo ago |
Deno vulnerable to command Injection via incomplete shell metacharacter blocklist in node:child_process |
|
| CVE-2026-27190 |
unknown |
— |
— |
3mo ago |
Deno has a Command Injection via Incomplete shell metacharacter blocklist in node:child_process |
|
| CVE-2026-22864 |
unknown |
— |
— |
4mo ago |
Deno has an incomplete fix for command-injection prevention on Windows — case-insensitive extension bypass |
|
| CVE-2026-22863 |
unknown |
— |
— |
4mo ago |
Deno node:crypto doesn't finalize cipher |
|
| CVE-2025-61787 |
unknown |
— |
— |
8mo ago |
Deno is Vulnerable to Command Injection on Windows During Batch File Execution |
|
| CVE-2025-61786 |
unknown |
— |
— |
8mo ago |
Deno's --deny-read check does not prevent permission bypass |
|
| CVE-2025-61785 |
unknown |
— |
— |
8mo ago |
Deno's --deny-write check does not prevent permission bypass |
|
| CVE-2024-21486 |
unknown |
— |
— |
1y ago |
Deno vulnerable to Exposure of Sensitive Information to an Unauthorized Actor |
|
| CVE-2025-48934 |
unknown |
— |
— |
1y ago |
Deno.env.toObject() ignores the variables listed in --deny-env and returns all environment variables |
|
| CVE-2025-48888 |
unknown |
— |
— |
1y ago |
Deno run with --allow-read and --deny-read flags results in allowed |
|
| CVE-2025-24015 |
unknown |
— |
— |
1y ago |
Deno's AES GCM authentication tags are not verified |
|
| CVE-2025-48935 |
unknown |
— |
— |
1y ago |
--allow-read / --allow-write permission bypass in `node:sqlite` |
|
| CVE-2025-21620 |
unknown |
— |
— |
1y ago |
fetch: Authorization headers not dropped when redirecting cross-origin |
|
| CVE-2024-34346 |
unknown |
— |
— |
2y ago |
Deno permission escalation vulnerability via open of privileged files with missing `--deny` flag |
|
| CVE-2024-27934 |
unknown |
— |
— |
2y ago |
*const c_void / ExternalPointer unsoundness leading to use-after-free |
|
| CVE-2024-27933 |
unknown |
— |
— |
2y ago |
Deno arbitrary file descriptor close via `op_node_ipc_pipe()` leading to permission prompt bypass |
|
| CVE-2024-27932 |
unknown |
— |
— |
2y ago |
Deno's improper suffix match testing for DENO_AUTH_TOKENS |
|
| CVE-2024-27936 |
unknown |
— |
— |
2y ago |
Deno's deno_runtime vulnerable to interactive permission prompt spoofing via improper ANSI stripping |
|
| CVE-2024-27935 |
unknown |
— |
— |
2y ago |
Deno's Node.js Compatibility Runtime has Cross-Session Data Contamination |
|
| CVE-2024-27931 |
unknown |
— |
— |
2y ago |
Insufficient permission checking in `Deno.makeTemp*` APIs |
|
| CVE-2023-33966 |
unknown |
— |
— |
3y ago |
Missing "--allow-net" permission check for built-in Node modules |
|
| CVE-2023-26103 |
unknown |
— |
— |
3y ago |
Regular Expression Denial of Service in Deno.upgradeWebSocket API |
|
| CVE-2023-28446 |
unknown |
— |
— |
3y ago |
Interactive `run` permission prompt spoofing via improper ANSI neutralization |
|
| CVE-2023-22499 |
unknown |
— |
— |
3y ago |
Deno is vulnerable to race condition via interactive permission prompt spoofing |
|
| CVE-2021-41641 |
unknown |
— |
— |
4y ago |
Link Following in Deno |
|