Arbitrary Command Execution Vulnerability in Node Version Manager by nvm
CVE-2026-10796

7.5HIGH

Key Information:

Vendor

Nvm-sh

Status
Vendor
CVE Published:
4 June 2026

What is CVE-2026-10796?

The Node Version Manager (nvm) prior to version 0.40.4 is susceptible to a vulnerability that allows an attacker to execute arbitrary commands through untrusted input in version strings. This occurs during the execution of commands like nvm install, which builds download URLs and shell commands based on the input from a configured Node.js/io.js mirror. Specifically, the use of eval in the nvm_download() function and unchecked interpolation in nvm_get_checksum() makes it possible for a crafted version string to execute arbitrary commands through the shell or awk. This could be exploited by a malicious actor who controls the configured mirror or interferes with a non-TLS mirror, leading to potential security breaches. The vulnerability has been addressed in newer versions by improving command handling through the use of argument lists and input validation.

Affected Version(s)

nvm 0 <= 0.40.4

References

CVSS V4

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

DavidCarliez reported the `nvm_download` eval sink
`nvm_get_checksum` `awk` sink was identified during remediation via an internal audit, fixed by ljharb
.