QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2026-1665

Back to search

CVE-2026-1665

Published: Jan 29, 2026

Modified: Jan 30, 2026

PUBLISHED

Description

A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path). An attacker who can set environment variables in a victim's shell environment (e.g., via malicious CI/CD configurations, compromised dotfiles, or Docker images) can inject arbitrary shell commands that execute when the victim runs nvm commands that trigger downloads, such as 'nvm install' or 'nvm ls-remote'.

VendorProductVersions

nvm-sh

nvm

affected
0.40.0 - <= 0.40.3
unaffected
0.40.4

Weaknesses (CWE)

CWE-78
CWE-95

References

Release v0.40.4
release-notes

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now