CVE-2026-1665 is a medium-severity OS command injection vulnerability affecting nvm (Node Version Manager) versions 0.40.3 and earlier. The root cause is improper neutralization of special elements in the NVM_AUTH_HEADER environment variable within the nvm_download() function. This function uses the eval command to execute wget commands for downloading Node.js versions or metadata. While the curl code path sanitizes this environment variable, the wget path does not, allowing an attacker who can set environment variables in the victim’s shell environment to inject arbitrary shell commands. Such environment variable control can be achieved through compromised CI/CD pipelines, malicious dotfiles, or tainted Docker images. When the victim runs nvm commands that trigger downloads (e.g., 'nvm install' or 'nvm ls-remote'), the injected commands execute with the victim’s privileges. The vulnerability requires local or limited privileges (PR:L) and user interaction (UI:P) to trigger, and it does not affect system-wide security controls (SC:N). The impact on confidentiality, integrity, and availability is high if exploited, as arbitrary code execution can lead to system compromise. No patches or fixes are currently linked, and no known exploits are reported in the wild. This vulnerability highlights the risks of using eval with unsanitized input and the importance of securing environment variables in developer tooling and automated environments.

For European organizations, the impact of CVE-2026-1665 can be significant, particularly for those relying heavily on Node.js development environments, CI/CD pipelines, and containerized deployments using nvm. Successful exploitation could lead to arbitrary code execution on developer workstations or build servers, potentially compromising source code integrity, leaking sensitive information, or enabling lateral movement within internal networks. Organizations with automated build and deployment processes are at higher risk, as attackers could inject malicious commands via environment variables in CI/CD configurations or Docker images. This could disrupt software supply chains or introduce backdoors into production software. The medium CVSS score reflects the need for some level of access and user interaction, but the potential damage to confidentiality, integrity, and availability is high if exploited. European companies in technology, finance, and critical infrastructure sectors that depend on Node.js development tools should be particularly vigilant.

To mitigate this vulnerability, European organizations should: 1) Immediately audit and sanitize environment variables, especially NVM_AUTH_HEADER, in all developer and CI/CD environments to prevent injection of malicious content. 2) Avoid using nvm versions 0.40.3 and below; upgrade to the latest patched version once available. 3) Restrict permissions and access to CI/CD configurations, dotfiles, and Docker images to trusted personnel only. 4) Implement strict validation and sanitization of environment variables in build and deployment pipelines. 5) Use container image scanning tools to detect malicious environment variable settings or injected commands. 6) Educate developers and DevOps teams about the risks of environment variable injection and the dangers of using eval with unsanitized input. 7) Monitor logs and system behavior for unusual command execution patterns during nvm operations. 8) Consider isolating build environments to limit the impact of potential compromise. These steps go beyond generic advice by focusing on environment variable hygiene, access control, and pipeline security specific to the nature of this vulnerability.