CVE-2026-1665

Name of the Vulnerable Software and Affected Versions nvm versions 0.40.3 and below

Description A command injection issue exists in nvm (Node Version Manager). The nvm download() function utilizes eval to execute wget commands. The NVM AUTH HEADER environment variable was not properly sanitized when used in the wget code path. An attacker capable of setting environment variables within a victim’s shell environment—for example, through malicious CI/CD configurations, compromised dotfiles, or Docker images—can inject arbitrary shell commands. These commands will execute when the victim runs nvm commands that initiate downloads, such as 'nvm install' or 'nvm ls-remote'.

Recommendations Update nvm to a version newer than 0.40.3.