{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0933", "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "state": "PUBLISHED", "assignerShortName": "cloudflare", "dateReserved": "2026-01-14T08:27:27.244Z", "datePublished": "2026-01-20T22:58:05.212Z", "dateUpdated": "2026-01-23T21:54:58.842Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "Wrangler", "product": "Wrangler", "repo": "https://github.com/cloudflare/workers-sdk", "vendor": "Cloudflare", "versions": [{"lessThanOrEqual": "v3.114.16", "status": "affected", "version": "v3.0.0", "versionType": "semver"}, {"lessThanOrEqual": "v4.59.0", "status": "affected", "version": "v4.0.0", "versionType": "semver"}, {"status": "affected", "version": "v2.0.15+"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<h2><span style=\"background-color: transparent;\"><b>Summary</b></span></h2><p><span style=\"background-color: transparent;\">A command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `--commit-hash` parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of `--commit-hash` to execute arbitrary commands on the system running Wrangler.</span></p><p><span style=\"background-color: transparent;\"><br></span></p><h3><span style=\"background-color: transparent;\"><b>Root cause</b></span></h3><p><span style=\"background-color: transparent;\">The </span><span style=\"background-color: rgb(233, 238, 246);\">commitHash</span><span style=\"background-color: transparent;\"> variable, derived from user input via the --commit-hash </span><span style=\"background-color: transparent;\">CLI argument, is interpolated directly into a shell command using template literals (e.g., &nbsp;<span style=\"background-color: rgb(233, 238, 246);\">execSync(`git show -s --format=%B ${commitHash}`)</span><span style=\"background-color: transparent;\">)</span></span><span style=\"background-color: transparent;\">. Shell metacharacters are interpreted by the shell, enabling command execution.</span></p><p><span style=\"background-color: transparent;\"><br></span></p><h3><span style=\"background-color: transparent;\"><b>Impact</b></span></h3><p><span style=\"background-color: transparent;\">This vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where `wrangler pages deploy` is used in automated pipelines and the </span></p><p><span style=\"background-color: transparent;\">--commit-hash</span><span style=\"background-color: transparent;\">&nbsp;parameter is populated from external, potentially untrusted sources. An attacker could exploit this to:</span></p><ul><li><span style=\"background-color: transparent;\">Run any shell command.</span></li><li>Exfiltrate environment variables.</li><li>Compromise the CI runner to install backdoors or modify build artifacts.</li></ul><br><h3><span style=\"background-color: transparent;\"><b>Credits</b></span></h3><p><span style=\"background-color: transparent;\"> Disclosed responsibly by </span><span style=\"background-color: rgb(255, 255, 255);\">kny4hacker.</span></p><p><span style=\"background-color: rgb(255, 255, 255);\"><br></span></p><h3>Mitigation<br></h3><ul><li><span style=\"background-color: transparent;\">Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher.</span></li><li>Wrangler v3 users are requested to upgrade to <span style=\"background-color: transparent;\">Wrangler v3.114.17 or higher.</span></li><li>Users on Wrangler v2 (EOL) should upgrade to a supported major version.</li></ul><br><br>"}], "value": "SummaryA command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `--commit-hash` parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of `--commit-hash` to execute arbitrary commands on the system running Wrangler.\n\n\n\n\nRoot causeThe commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g., \u00a0execSync(`git show -s --format=%B ${commitHash}`)). Shell metacharacters are interpreted by the shell, enabling command execution.\n\n\n\n\nImpactThis vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where `wrangler pages deploy` is used in automated pipelines and the \n\n--commit-hash\u00a0parameter is populated from external, potentially untrusted sources. An attacker could exploit this to:\n\n * Run any shell command.\n * Exfiltrate environment variables.\n * Compromise the CI runner to install backdoors or modify build artifacts.\n\n\n\nCredits Disclosed responsibly by kny4hacker.\n\n\n\n\nMitigation\n * Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher.\n * Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher.\n * Users on Wrangler v2 (EOL) should upgrade to a supported major version."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 7.7, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "shortName": "cloudflare", "dateUpdated": "2026-01-20T22:58:05.212Z"}, "references": [{"url": "https://github.com/cloudflare/workers-sdk"}], "source": {"discovery": "UNKNOWN"}, "title": "OS Command Injection in `wrangler pages deploy`", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-23T18:58:09.879547Z", "id": "CVE-2026-0933", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T21:54:58.842Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0933", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-23T18:58:09.879547Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T19:00:41.854Z"}}], "cna": {"title": "OS Command Injection in `wrangler pages deploy`", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/cloudflare/workers-sdk", "vendor": "Cloudflare", "product": "Wrangler", "versions": [{"status": "affected", "version": "v3.0.0", "versionType": "semver", "lessThanOrEqual": "v3.114.16"}, {"status": "affected", "version": "v4.0.0", "versionType": "semver", "lessThanOrEqual": "v4.59.0"}, {"status": "affected", "version": "v2.0.15+"}], "packageName": "Wrangler", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/cloudflare/workers-sdk"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "SummaryA command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `--commit-hash` parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of `--commit-hash` to execute arbitrary commands on the system running Wrangler.\n\n\n\n\nRoot causeThe commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g., \u00a0execSync(`git show -s --format=%B ${commitHash}`)). Shell metacharacters are interpreted by the shell, enabling command execution.\n\n\n\n\nImpactThis vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where `wrangler pages deploy` is used in automated pipelines and the \n\n--commit-hash\u00a0parameter is populated from external, potentially untrusted sources. An attacker could exploit this to:\n\n * Run any shell command.\n * Exfiltrate environment variables.\n * Compromise the CI runner to install backdoors or modify build artifacts.\n\n\n\nCredits Disclosed responsibly by kny4hacker.\n\n\n\n\nMitigation\n * Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher.\n * Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher.\n * Users on Wrangler v2 (EOL) should upgrade to a supported major version.", "supportingMedia": [{"type": "text/html", "value": "<h2><span style=\"background-color: transparent;\"><b>Summary</b></span></h2><p><span style=\"background-color: transparent;\">A command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `--commit-hash` parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of `--commit-hash` to execute arbitrary commands on the system running Wrangler.</span></p><p><span style=\"background-color: transparent;\"><br></span></p><h3><span style=\"background-color: transparent;\"><b>Root cause</b></span></h3><p><span style=\"background-color: transparent;\">The </span><span style=\"background-color: rgb(233, 238, 246);\">commitHash</span><span style=\"background-color: transparent;\"> variable, derived from user input via the --commit-hash </span><span style=\"background-color: transparent;\">CLI argument, is interpolated directly into a shell command using template literals (e.g., &nbsp;<span style=\"background-color: rgb(233, 238, 246);\">execSync(`git show -s --format=%B ${commitHash}`)</span><span style=\"background-color: transparent;\">)</span></span><span style=\"background-color: transparent;\">. Shell metacharacters are interpreted by the shell, enabling command execution.</span></p><p><span style=\"background-color: transparent;\"><br></span></p><h3><span style=\"background-color: transparent;\"><b>Impact</b></span></h3><p><span style=\"background-color: transparent;\">This vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where `wrangler pages deploy` is used in automated pipelines and the </span></p><p><span style=\"background-color: transparent;\">--commit-hash</span><span style=\"background-color: transparent;\">&nbsp;parameter is populated from external, potentially untrusted sources. An attacker could exploit this to:</span></p><ul><li><span style=\"background-color: transparent;\">Run any shell command.</span></li><li>Exfiltrate environment variables.</li><li>Compromise the CI runner to install backdoors or modify build artifacts.</li></ul><br><h3><span style=\"background-color: transparent;\"><b>Credits</b></span></h3><p><span style=\"background-color: transparent;\"> Disclosed responsibly by </span><span style=\"background-color: rgb(255, 255, 255);\">kny4hacker.</span></p><p><span style=\"background-color: rgb(255, 255, 255);\"><br></span></p><h3>Mitigation<br></h3><ul><li><span style=\"background-color: transparent;\">Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher.</span></li><li>Wrangler v3 users are requested to upgrade to <span style=\"background-color: transparent;\">Wrangler v3.114.17 or higher.</span></li><li>Users on Wrangler v2 (EOL) should upgrade to a supported major version.</li></ul><br><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "shortName": "cloudflare", "dateUpdated": "2026-01-20T22:58:05.212Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0933", "state": "PUBLISHED", "dateUpdated": "2026-01-23T21:54:58.842Z", "dateReserved": "2026-01-14T08:27:27.244Z", "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "datePublished": "2026-01-20T22:58:05.212Z", "assignerShortName": "cloudflare"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cloudflare:wrangler:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "C22AB9BD-AA08-4F21-9F00-EE077888827F", "versionEndExcluding": "3.114.17", "versionStartIncluding": "2.0.15", "vulnerable": true}, {"criteria": "cpe:2.3:a:cloudflare:wrangler:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "FDB2DBCA-953B-4E8E-A8D3-C978C083C1A2", "versionEndExcluding": "4.59.1", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SummaryA command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `--commit-hash` parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of `--commit-hash` to execute arbitrary commands on the system running Wrangler.\n\n\n\n\nRoot causeThe commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g., \u00a0execSync(`git show -s --format=%B ${commitHash}`)). Shell metacharacters are interpreted by the shell, enabling command execution.\n\n\n\n\nImpactThis vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where `wrangler pages deploy` is used in automated pipelines and the \n\n--commit-hash\u00a0parameter is populated from external, potentially untrusted sources. An attacker could exploit this to:\n\n * Run any shell command.\n * Exfiltrate environment variables.\n * Compromise the CI runner to install backdoors or modify build artifacts.\n\n\n\nCredits Disclosed responsibly by kny4hacker.\n\n\n\n\nMitigation\n * Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher.\n * Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher.\n * Users on Wrangler v2 (EOL) should upgrade to a supported major version."}], "id": "CVE-2026-0933", "lastModified": "2026-01-27T21:12:28.557", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@cloudflare.com", "type": "Secondary"}]}, "published": "2026-01-20T23:16:06.043", "references": [{"source": "cna@cloudflare.com", "tags": ["Product"], "url": "https://github.com/cloudflare/workers-sdk"}], "sourceIdentifier": "cna@cloudflare.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "cna@cloudflare.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T04:19:01.258490+00:00", "value": {"mitigation_remediation": ["Upgrade to at least Wrangler v4.59.1 if using Wrangler v4.", "Upgrade to at least Wrangler v3.114.17 if using Wrangler v3.", "If running Wrangler v2, move to a supported major release such as v3 or v4.", "Ensure that any parameters supplied to wrangler pages deploy, especially --commit\u2011hash, are sourced from trusted or sanitized inputs.", "Restrict CI runners to run only necessary commands and monitor for unexpected shell activity."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary Command Execution via CI/CD Pipeline"}, "threat_synthesis": {"affected_systems": "The flaw affects all Cloudflare Wrangler releases prior to v4.59.1, v3.114.17, and v2 (which is end\u2011of\u2011life). Users employing earlier major versions are vulnerable when using wrangler pages deploy within automated pipelines where --commit\u2011hash may originate from untrusted sources. The fix is available in Wrangler v4.59.1 and later, v3.114.17 and later, and any supported major release beyond v2.", "description_and_impact": "The vulnerability stems from the --commit\u2011hash CLI option in the wrangler pages deploy command, which concatenates the supplied value directly into a shell command without validation or sanitization. This omission permits an attacker who can influence the --commit\u2011hash parameter to inject shell metacharacters and execute arbitrary commands on the system running Wrangler. The primary consequence is the ability to run arbitrary shell commands, exfiltrate sensitive data, or compromise the CI runner, potentially resulting in full system compromise for the build environment.", "risk_and_exploitability": "The CVSS score of 7.7 indicates high severity, but the EPSS score of <1% signals a low probability of exploitation in the wild. The vulnerability is not currently listed in the CISA KEV catalog, suggesting no known large\u2011scale attacks. The likely attack vector is a compromised or poorly configured CI/CD pipeline that supplies an attacker\u2011controlled value to the --commit\u2011hash option. Successful exploitation would require the attacker to have influence over the CI environment, which is a moderate to high limitation for most users. Nonetheless, the ability to execute arbitrary commands poses a serious threat to confidentiality, integrity, and availability of the build system."}}}}, "created": "2026-01-21T11:18:57.932050+00:00", "updated": "2026-04-18T04:30:35.824147+00:00", "vendors": ["cloudflare", "cloudflare$PRODUCT$wrangler"]}