RCE in Nvm-sh Nvm

CVE-2026-1665

A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget co…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.000 (8.9th percentile) — read the EPSS interpretation.