{“lastseen”:””,”description”:”SummaryA command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `–commit-hash` parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of `–commit-hash` to execute arbitrary commands on the system running Wrangler.\\n\\n\\n\\n\\nRoot causeThe commitHash variable, derived from user input via the –commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g., \u00a0execSync(`git show -s –format=%B ${commitHash}`)). Shell metacharacters are interpreted by the shell, enabling command execution.\\n\\n\\n\\n\\nImpactThis vulnerability is generally hard to exploit, as it requires –commit-hash to be attacker controlled. The vulnerability primarily affects CI\/CD environments where `wrangler pages deploy` is used in automated pipelines and the \\n\\n–commit-hash\u00a0parameter is populated from external, potentially untrusted sources. An attacker could exploit this to:\\n\\n * Run any shell command.\\n * Exfiltrate environment variables.\\n * Compromise the CI runner to install backdoors or modify build artifacts.\\n\\n\\n\\nCredits Disclosed responsibly by kny4hacker.\\n\\n\\n\\n\\nMitigation\\n * Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher.\\n * Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher.\\n * Users on Wrangler v2 (EOL) should upgrade to a supported major version.”,”published”:”2026-01-20T22:58:05.212Z”,”modified”:”2026-01-20T22:58:05.212Z”,”type”:”cve”,”title”:”OS Command Injection in `wrangler pages deploy`”,”source”:”cloudflare”,”references”:”https:\/\/github.com\/cloudflare\/workers-sdk”,”id”:”CVE-2026-0933″,”bulletinFamily”:””,”cwe”:[“CWE-20″],”cvelist”:null,”sourceData”:”Cloudflare Wrangler v3.0.0\\nCloudflare Wrangler v4.0.0\\nCloudflare Wrangler v2.0.15+”,”sourceHref”:””,”cvss”:{“score”:7.7,”severity”:”HIGH”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:P\/PR:L\/UI:N\/VC:H\/VI:H\/VA:H\/SC:L\/SI:L\/SA:N”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”Wrangler”,”version”:”v3.0.0″,”vendor”:”Cloudflare”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”SummaryA command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `–commit-hash` parameter is passed…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,87,12,15,13,7,11,5],"class_list":["post-36637","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-77","tag-exploit","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n