cvedb.io
CVE-2026-10796
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2026-06-04T18:16:28.150 · Last modified 2026-06-17T10:12:33.233

Summary

nvm (Node Version Manager) through 0.40.4 executes arbitrary commands from version strings supplied by the configured Node.js/io.js mirror. Commands such as `nvm install` read the available versions from the mirror's index.tab and use the selected version, without sanitization, to build download URLs and shell/awk commands. Two sinks are affected by the same untrusted input: nvm_download() built a curl/wget command string and ran it with `eval`, so a version field containing command substitution (for example $(id)) was executed by the local shell; and nvm_get_checksum() interpolated the version-derived download slug into an awk program, so a crafted version could execute arbitrary commands via awk's system(). An attacker who controls the configured mirror, supplies mirror content to a user

Affected products

openjsf — node_version_manager

Does this affect you?

Add your gear to cvedb and we'll alert you only when openjsf ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.