CVE-2026-0933Improper Input Validation in Wrangler

CWE-20Improper Input ValidationCWE-78OS Command Injection4 documents4 sources
Severity
7.7HIGHNVD
EPSS
0.1%
top 81.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Cloudflare Wrangler
Timeline
PublishedJan 20
Latest updateJan 21

Description

SummaryA command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `--commit-hash` parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of `--commit-hash` to execute arbitrary commands on the system running Wrangler. Root causeThe commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N

Affected Packages3 packages

NVDcloudflare/wrangler2.0.153.114.17+1
npmcloudflare/wrangler2.0.153.114.17+1
CVEListV5cloudflare/wranglerv3.0.0v3.114.16+2

🔴Vulnerability Details

2
OSV
Wrangler affected by OS Command Injection in `wrangler pages deploy`2026-01-21
GHSA
Wrangler affected by OS Command Injection in `wrangler pages deploy`2026-01-21

🕵️Threat Intelligence

1
Wiz
CVE-2026-0933 Impact, Exploitability, and Mitigation Steps | Wiz