CVE-2026-0933

Name of the Vulnerable Software and Affected Versions Wrangler versions prior to 3.114.17 Wrangler versions prior to 4.59.1 Wrangler version 2 (EOL)

Description A command injection issue exists in the wrangler pages deploy command. The issue occurs because the --commit-hash parameter is passed to a shell command without proper validation, allowing an attacker who controls the --commit-hash parameter to execute arbitrary commands on the system running Wrangler. The commitHash variable, obtained from the --commit-hash command-line argument, is directly interpolated into a shell command using template literals. Shell metacharacters are interpreted by the shell, enabling command execution. This primarily affects CI/CD environments where wrangler pages deploy is used in automated pipelines and the --commit-hash parameter is populated from external sources. An attacker could potentially run shell commands, exfiltrate environment variables, or compromise the CI runner. The API Endpoint is wrangler pages deploy and the Vulnerable Parameter is --commit-hash.

Recommendations Wrangler versions prior to 3.114.17 should be upgraded to Wrangler version 3.114.17 or higher. Wrangler versions prior to 4.59.1 should be upgraded to Wrangler version 4.59.1 or higher. Users on Wrangler version 2 (EOL) should upgrade to a supported major version.