216.73.216.86

CVE-2026-1665

· Published 29/01/2026 23:16 · Modified 29/01/2026 23:16

Labels: CVE-2026-1665 2026-01-29CVE-2026-1665CWE-78ce714d77-add3-4f53-aff5-83d477b104bb

Essential information

Published
29/01/2026 23:16
Modified
29/01/2026 23:16
Author
Creator
CVSS
5.4 MEDIUM (v3) 5.4 MEDIUM (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path). An attacker who can set environment variables in a victim's shell environment (e.g., via malicious CI/CD configurations, compromised dotfiles, or Docker images) can inject arbitrary shell commands that execute when the victim runs nvm commands that trigger downloads, such as 'nvm install' or 'nvm ls-remote'.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
ce714d77-add3-4f53-aff5-83d477b104bb
NVD
View on NVD

Affected products (CPE)

ProductCPE
nvm / nvm cpe:2.3:a:nvm:nvm:<0.40.3:*:*:*:*:*:*:*

References