CVE-2026-1665 – Command Injection in nvm via NVM_AUTH_HEADER in wget code path

CVE ID : CVE-2026-1665

Published : Jan. 29, 2026, 11:16 p.m. | 1 hour, 54 minutes ago

Description : A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path). An attacker who can set environment variables in a victim’s shell environment (e.g., via malicious CI/CD configurations, compromised dotfiles, or Docker images) can inject arbitrary shell commands that execute when the victim runs nvm commands that trigger downloads, such as ‘nvm install’ or ‘nvm ls-remote’.

Severity: 5.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…