Deno CVE-2026-27190 and CVE-2026-32260 — command injection via node:child_process, fixed in 2.7.2

Two chained command injection vulnerabilities in Deno's node:child_process polyfill. CVE-2026-27190 (CVSS 8.1 HIGH): versions prior to 2.6.8 allow unauthenticated remote code execution via improper neutralization of shell metacharacters. CVE-2026-32260 (HIGH): versions 2.7.0-2.7.1 bypass the CVE-2026-27190 fix — a $VAR pattern argument is double-quoted instead of single-quoted, allowing backtick command substitution. Fixed in Deno 2.7.2. ODS does not currently use Deno in production services (all backends are Rust/Actix-web), but Deno is on the radar as a potential TypeScript runtime for lightweight services. If evaluated, ensure 2.7.2 or later.