cvedb.io
CVE-2026-49401
HIGH · CVSS 7.3
EPSS exploitation probability: 0%
Published 2026-06-23T18:18:03.033 · Last modified 2026-06-26T17:43:03.033

Summary

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.14, Deno's permission system enforces filesystem and execution restrictions by comparing the requested path against the path supplied to --deny-read, --deny-write, --deny-run, or --deny-ffi. On macOS, that comparison was done at the raw-byte level while the APFS filesystem treats different Unicode spellings of the same name as the same file. That means a program could reach a denied path by spelling it differently than the deny rule. This vulnerability is fixed in 2.7.14.

Affected products

deno — deno

Does this affect you?

Add your gear to cvedb and we'll alert you only when deno ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.