CVE-2026-0933

Name of the Vulnerable Software and Affected Versions Wrangler versions prior to 3.114.17 Wrangler versions prior to 4.59.1 Wrangler version 2 (EOL)

Description A command injection issue exists in the

wrangler pages deploy

command. The issue occurs because the

--commit-hash

parameter is passed to a shell command without proper validation, allowing an attacker who controls the

--commit-hash

parameter to execute arbitrary commands on the system running Wrangler. The

commitHash

variable, obtained from the

--commit-hash

command-line argument, is directly interpolated into a shell command using template literals. Shell metacharacters are interpreted by the shell, enabling command execution. This primarily affects CI/CD environments where

wrangler pages deploy

is used in automated pipelines and the

--commit-hash

parameter is populated from external sources. An attacker could potentially run shell commands, exfiltrate environment variables, or compromise the CI runner. The API Endpoint is

wrangler pages deploy

and the Vulnerable Parameter is

--commit-hash

.

Recommendations Wrangler versions prior to 3.114.17 should be upgraded to Wrangler version 3.114.17 or higher. Wrangler versions prior to 4.59.1 should be upgraded to Wrangler version 4.59.1 or higher. Users on Wrangler version 2 (EOL) should upgrade to a supported major version.