Loading market data...
← Back to CVE feed

CVE-2026-49859

MEDIUM CVSS 5.2 View on NVD ↗

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, when fetch() was called, Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresses that hostname resolved to. An attacker-controlled script could use a specially crafted domain name that passes the hostname check yet resolves to a denied IP, bypassing the network restriction entirely. This vulnerability is fixed in 2.8.1.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Published: Jun 23, 2026 18:18 UTC Modified: Jun 24, 2026 15:16 UTC