Vulnerability-Lookup

CVE-2026-0933 (GCVE-0-2026-0933)

Vulnerability from cvelistv5 – Published: 2026-01-20 22:58 – Updated: 2026-01-20 22:58

Title

OS Command Injection in `wrangler pages deploy`

Summary

SummaryA command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `--commit-hash` parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of `--commit-hash` to execute arbitrary commands on the system running Wrangler. Root causeThe commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g., execSync(`git show -s --format=%B ${commitHash}`)). Shell metacharacters are interpreted by the shell, enabling command execution. ImpactThis vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where `wrangler pages deploy` is used in automated pipelines and the --commit-hash parameter is populated from external, potentially untrusted sources. An attacker could exploit this to: * Run any shell command. * Exfiltrate environment variables. * Compromise the CI runner to install backdoors or modify build artifacts. Credits Disclosed responsibly by kny4hacker. Mitigation * Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher. * Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher. * Users on Wrangler v2 (EOL) should upgrade to a supported major version.

Severity ?

7.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N

CWE

CWE-20 - Improper Input Validation

Assigner

cloudflare

References

URL

Tags

https://github.com/cloudflare/workers-sdk

Impacted products

	Vendor	Product	Version
	Cloudflare	Wrangler	Affected: v3.0.0 , ≤ v3.114.16 (semver) Affected: v4.0.0 , ≤ v4.59.0 (semver) Affected: v2.0.15+

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageName": "Wrangler",
          "product": "Wrangler",
          "repo": "https://github.com/cloudflare/workers-sdk",
          "vendor": "Cloudflare",
          "versions": [
            {
              "lessThanOrEqual": "v3.114.16",
              "status": "affected",
              "version": "v3.0.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "v4.59.0",
              "status": "affected",
              "version": "v4.0.0",
              "versionType": "semver"
            },
            {
              "status": "affected",
              "version": "v2.0.15+"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003ch2\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u003cb\u003eSummary\u003c/b\u003e\u003c/span\u003e\u003c/h2\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eA command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `--commit-hash` parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of `--commit-hash` to execute arbitrary commands on the system running Wrangler.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u003cbr\u003e\u003c/span\u003e\u003c/p\u003e\u003ch3\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u003cb\u003eRoot cause\u003c/b\u003e\u003c/span\u003e\u003c/h3\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eThe \u003c/span\u003e\u003cspan style=\"background-color: rgb(233, 238, 246);\"\u003ecommitHash\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e variable, derived from user input via the --commit-hash \u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003eCLI argument, is interpolated directly into a shell command using template literals (e.g., \u0026nbsp;\u003cspan style=\"background-color: rgb(233, 238, 246);\"\u003eexecSync(`git show -s --format=%B ${commitHash}`)\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e)\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e. Shell metacharacters are interpreted by the shell, enabling command execution.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u003cbr\u003e\u003c/span\u003e\u003c/p\u003e\u003ch3\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u003cb\u003eImpact\u003c/b\u003e\u003c/span\u003e\u003c/h3\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eThis vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where `wrangler pages deploy` is used in automated pipelines and the \u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003e--commit-hash\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u0026nbsp;parameter is populated from external, potentially untrusted sources. An attacker could exploit this to:\u003c/span\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cspan style=\"background-color: transparent;\"\u003eRun any shell command.\u003c/span\u003e\u003c/li\u003e\u003cli\u003eExfiltrate environment variables.\u003c/li\u003e\u003cli\u003eCompromise the CI runner to install backdoors or modify build artifacts.\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e\u003ch3\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u003cb\u003eCredits\u003c/b\u003e\u003c/span\u003e\u003c/h3\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003e Disclosed responsibly by \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ekny4hacker.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cbr\u003e\u003c/span\u003e\u003c/p\u003e\u003ch3\u003eMitigation\u003cbr\u003e\u003c/h3\u003e\u003cul\u003e\u003cli\u003e\u003cspan style=\"background-color: transparent;\"\u003eWrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher.\u003c/span\u003e\u003c/li\u003e\u003cli\u003eWrangler v3 users are requested to upgrade to \u003cspan style=\"background-color: transparent;\"\u003eWrangler v3.114.17 or higher.\u003c/span\u003e\u003c/li\u003e\u003cli\u003eUsers on Wrangler v2 (EOL) should upgrade to a supported major version.\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e\u003cbr\u003e"
            }
          ],
          "value": "SummaryA command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `--commit-hash` parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of `--commit-hash` to execute arbitrary commands on the system running Wrangler.\n\n\n\n\nRoot causeThe commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g., \u00a0execSync(`git show -s --format=%B ${commitHash}`)). Shell metacharacters are interpreted by the shell, enabling command execution.\n\n\n\n\nImpactThis vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where `wrangler pages deploy` is used in automated pipelines and the \n\n--commit-hash\u00a0parameter is populated from external, potentially untrusted sources. An attacker could exploit this to:\n\n  *  Run any shell command.\n  *  Exfiltrate environment variables.\n  *  Compromise the CI runner to install backdoors or modify build artifacts.\n\n\n\nCredits Disclosed responsibly by kny4hacker.\n\n\n\n\nMitigation\n  *  Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher.\n  *  Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher.\n  *  Users on Wrangler v2 (EOL) should upgrade to a supported major version."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-20T22:58:05.212Z",
        "orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
        "shortName": "cloudflare"
      },
      "references": [
        {
          "url": "https://github.com/cloudflare/workers-sdk"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "OS Command Injection in `wrangler pages deploy`",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
    "assignerShortName": "cloudflare",
    "cveId": "CVE-2026-0933",
    "datePublished": "2026-01-20T22:58:05.212Z",
    "dateReserved": "2026-01-14T08:27:27.244Z",
    "dateUpdated": "2026-01-20T22:58:05.212Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-0933\",\"sourceIdentifier\":\"cna@cloudflare.com\",\"published\":\"2026-01-20T23:16:06.043\",\"lastModified\":\"2026-01-20T23:16:06.043\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"SummaryA command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `--commit-hash` parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of `--commit-hash` to execute arbitrary commands on the system running Wrangler.\\n\\n\\n\\n\\nRoot causeThe commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g., \u00a0execSync(`git show -s --format=%B ${commitHash}`)). Shell metacharacters are interpreted by the shell, enabling command execution.\\n\\n\\n\\n\\nImpactThis vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where `wrangler pages deploy` is used in automated pipelines and the \\n\\n--commit-hash\u00a0parameter is populated from external, potentially untrusted sources. An attacker could exploit this to:\\n\\n  *  Run any shell command.\\n  *  Exfiltrate environment variables.\\n  *  Compromise the CI runner to install backdoors or modify build artifacts.\\n\\n\\n\\nCredits Disclosed responsibly by kny4hacker.\\n\\n\\n\\n\\nMitigation\\n  *  Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher.\\n  *  Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher.\\n  *  Users on Wrangler v2 (EOL) should upgrade to a supported major version.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cna@cloudflare.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"cna@cloudflare.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"references\":[{\"url\":\"https://github.com/cloudflare/workers-sdk\",\"source\":\"cna@cloudflare.com\"}]}}"
  }
}

GHSA-36P8-MVP6-CV38

Vulnerability from github – Published: 2026-01-21 23:00 – Updated: 2026-01-21 23:00

Summary

Wrangler affected by OS Command Injection in `wrangler pages deploy`

Details

Summary

A command injection vulnerability (CWE-78) has been found to exist in the wrangler pages deploy command. The issue occurs because the --commit-hash parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of --commit-hash to execute arbitrary commands on the system running Wrangler.

Root cause

The commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g., execSync(`git show -s --format=%B ${commitHash}`)). Shell metacharacters are interpreted by the shell, enabling command execution.

Impact

This vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where wrangler pages deploy is used in automated pipelines and the --commit-hash parameter is populated from external, potentially untrusted sources. An attacker could exploit this to:

Run any shell command.
Exfiltrate environment variables.
Compromise the CI runner to install backdoors or modify build artifacts.

Mitigation

Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher.
Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher.
Users on Wrangler v2 (EOL) should upgrade to a supported major version.

Credits

Disclosed responsibly by kny4hacker.

Severity ?

7.7 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "wrangler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.15"
            },
            {
              "fixed": "3.114.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "wrangler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.59.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-0933"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-21T23:00:35Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "**Summary**\n\nA command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `--commit-hash` parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of `--commit-hash` to execute arbitrary commands on the system running Wrangler.\n\n**Root cause**\n\nThe `commitHash` variable, derived from user input via the `--commit-hash` CLI argument, is interpolated directly into a shell command using template literals (e.g., ``execSync(`git show -s --format=%B ${commitHash}`)``). Shell metacharacters are interpreted by the shell, enabling command execution.\n\n**Impact**\n\nThis vulnerability is generally hard to exploit, as it requires `--commit-hash` to be attacker controlled. The vulnerability primarily affects CI/CD environments where `wrangler pages deploy` is used in automated pipelines and the `--commit-hash` parameter is populated from external, potentially untrusted sources. An attacker could exploit this to:\n\n- Run any shell command.\n- Exfiltrate environment variables.\n- Compromise the CI runner to install backdoors or modify build artifacts.\n\n**Mitigation**\n\n- Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher. \n- Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher. \n- Users on Wrangler v2 (EOL) should upgrade to a supported major version.\n\n**Credits**\n\nDisclosed responsibly by kny4hacker.",
  "id": "GHSA-36p8-mvp6-cv38",
  "modified": "2026-01-21T23:00:35Z",
  "published": "2026-01-21T23:00:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-36p8-mvp6-cv38"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0933"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudflare/workers-sdk/commit/99b1f328a9afe181b49f1114ed47f15f6d25f0be"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cloudflare/workers-sdk"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudflare/workers-sdk/releases/tag/wrangler%403.114.17"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudflare/workers-sdk/releases/tag/wrangler%404.59.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Wrangler affected by OS Command Injection in `wrangler pages deploy`"
}

GHSA-8H3Q-9FPP-C883

Vulnerability from github – Published: 2026-01-21 00:31 – Updated: 2026-01-21 23:00

Summary

Duplicate Advisory: Wrangler affected by OS Command Injection in `wrangler pages deploy`

Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-36p8-mvp6-cv38. This link is maintained to preserve external references.

Original Description

SummaryA command injection vulnerability (CWE-78) has been found to exist in the wrangler pages deploy command. The issue occurs because the --commit-hash parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of --commit-hash to execute arbitrary commands on the system running Wrangler.

Root causeThe commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g., execSync(git show -s --format=%B ${commitHash})). Shell metacharacters are interpreted by the shell, enabling command execution.

ImpactThis vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where wrangler pages deploy is used in automated pipelines and the

--commit-hash parameter is populated from external, potentially untrusted sources. An attacker could exploit this to:

Run any shell command.
Exfiltrate environment variables.
Compromise the CI runner to install backdoors or modify build artifacts.

Credits Disclosed responsibly by kny4hacker.

Mitigation * Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher. * Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher. * Users on Wrangler v2 (EOL) should upgrade to a supported major version.

Severity ?

7.7 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 3.114.17"
      },
      "package": {
        "ecosystem": "npm",
        "name": "wrangler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-21T23:00:08Z",
    "nvd_published_at": "2026-01-20T23:16:06Z",
    "severity": "HIGH"
  },
  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-36p8-mvp6-cv38. This link is maintained to preserve external references.\n\n## Original Description\n\nSummaryA command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `--commit-hash` parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of `--commit-hash` to execute arbitrary commands on the system running Wrangler.\n\n\n\n\nRoot causeThe commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g., \u00a0execSync(`git show -s --format=%B ${commitHash}`)). Shell metacharacters are interpreted by the shell, enabling command execution.\n\n\n\n\nImpactThis vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where `wrangler pages deploy` is used in automated pipelines and the \n\n--commit-hash\u00a0parameter is populated from external, potentially untrusted sources. An attacker could exploit this to:\n\n  *  Run any shell command.\n  *  Exfiltrate environment variables.\n  *  Compromise the CI runner to install backdoors or modify build artifacts.\n\n\n\nCredits Disclosed responsibly by kny4hacker.\n\n\n\n\nMitigation\n  *  Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher.\n  *  Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher.\n  *  Users on Wrangler v2 (EOL) should upgrade to a supported major version.",
  "id": "GHSA-8h3q-9fpp-c883",
  "modified": "2026-01-21T23:00:08Z",
  "published": "2026-01-21T00:31:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0933"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudflare/workers-sdk"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: Wrangler affected by OS Command Injection in `wrangler pages deploy`",
  "withdrawn": "2026-01-21T23:00:08Z"
}

FKIE_CVE-2026-0933

Vulnerability from fkie_nvd - Published: 2026-01-20 23:16 - Updated: 2026-01-20 23:16

Severity ?

7.7 (High) - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N

Summary

References

	URL	Tags
	cna@cloudflare.com	https://github.com/cloudflare/workers-sdk

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SummaryA command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `--commit-hash` parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of `--commit-hash` to execute arbitrary commands on the system running Wrangler.\n\n\n\n\nRoot causeThe commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g., \u00a0execSync(`git show -s --format=%B ${commitHash}`)). Shell metacharacters are interpreted by the shell, enabling command execution.\n\n\n\n\nImpactThis vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where `wrangler pages deploy` is used in automated pipelines and the \n\n--commit-hash\u00a0parameter is populated from external, potentially untrusted sources. An attacker could exploit this to:\n\n  *  Run any shell command.\n  *  Exfiltrate environment variables.\n  *  Compromise the CI runner to install backdoors or modify build artifacts.\n\n\n\nCredits Disclosed responsibly by kny4hacker.\n\n\n\n\nMitigation\n  *  Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher.\n  *  Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher.\n  *  Users on Wrangler v2 (EOL) should upgrade to a supported major version."
    }
  ],
  "id": "CVE-2026-0933",
  "lastModified": "2026-01-20T23:16:06.043",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 7.7,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "LOW",
          "subIntegrityImpact": "LOW",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "cna@cloudflare.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-20T23:16:06.043",
  "references": [
    {
      "source": "cna@cloudflare.com",
      "url": "https://github.com/cloudflare/workers-sdk"
    }
  ],
  "sourceIdentifier": "cna@cloudflare.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "cna@cloudflare.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-0933 (GCVE-0-2026-0933)

GHSA-36P8-MVP6-CV38

GHSA-8H3Q-9FPP-C883

Duplicate Advisory

Original Description

FKIE_CVE-2026-0933

Tags

Sightings

Nomenclature