2 matches found
CVE-2026-1665 Command Injection in nvm via NVM_AUTH_HEADER in wget code path
A command injection vulnerability exists in nvm Node Version Manager versions 0.40.3 and below. The nvmdownload function uses eval to execute wget commands, and the NVMAUTHHEADER environment variable was not sanitized in the wget code path though it was sanitized in the curl code path. An attacke...
CVE-2026-1665
CVE-2026-1665 affects nvm (Node Version Manager) versions 0.40.3 and earlier. The vulnerability arises because the wget path in the nvm_download() function uses eval to execute commands and the NVM_AUTH_HEADER environment variable is not sanitized in that path (unlike the curl path). An attacker ...