Command Injection Vulnerability in Cloudflare Wrangler
CVE-2026-0933

7.7HIGH

Key Information:

Vendor: Cloudflare
Status: Wrangler
Vendor: CVE Published:; 20 January 2026

What is CVE-2026-0933?

A command injection vulnerability has been identified in Cloudflare's Wrangler tool, specifically within the wrangler pages deploy command. This issue arises from the lack of proper validation or sanitization of the --commit-hash parameter, which is directly used in a shell command execution context. Attackers controlling the --commit-hash can potentially execute arbitrary shell commands on systems running Wrangler, especially in CI/CD environments. This vulnerability poses significant risks such as the ability to run any shell command including exfiltrating sensitive environment variables or modifying build artifacts. Users are urged to update to the latest Wrangler versions to mitigate this risk.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Wrangler v3.0.0

Wrangler v4.0.0

Wrangler v2.0.15+

References

https://github.com/cloudflare/workers-sdk

CVSS V4

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Jan 20, 2026
Vulnerability Reserved
Jan 14, 2026

JSON

Cloudflare

What is CVE-2026-0933?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V4

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.