Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:npm/wrangler@2.18.0

Type npm

Namespace

Name wrangler

Version 2.18.0

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version null

Latest_non_vulnerable_version null

Affected_by_vulnerabilities

url VCID-2x7r-6sqf-ffeh

vulnerability_id VCID-2x7r-6sqf-ffeh

summary The Wrangler command line tool (<=wrangler@3.1.0 or <=wrangler@2.20.1) was affected by a directory traversal vulnerability when running a local development server for Pages (wrangler pages dev command). This vulnerability enabled an attacker in the same network as the victim to connect to the local development server and access the victim's files present outside of the directory for the development server.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-3348

reference_id

reference_type

scores

value	0.00243
scoring_system	epss
scoring_elements	0.47994
published_at	2026-06-13T12:55:00Z

value	0.00243
scoring_system	epss
scoring_elements	0.47979
published_at	2026-06-14T12:55:00Z

value	0.00243
scoring_system	epss
scoring_elements	0.47978
published_at	2026-06-12T12:55:00Z

value	0.00243
scoring_system	epss
scoring_elements	0.47837
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-3348

reference_url

https://developers.cloudflare.com/workers/wrangler

reference_id

reference_type

scores

value	5.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://developers.cloudflare.com/workers/wrangler

reference_url

https://github.com/cloudflare/workers-sdk/commit/fddffdf0c23d2ca56f2139a2c6bc278052594cba

reference_id

reference_type

scores

value	5.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/cloudflare/workers-sdk/commit/fddffdf0c23d2ca56f2139a2c6bc278052594cba

reference_url

https://github.com/cloudflare/workers-sdk/pull/3498

reference_id

reference_type

scores

value	5.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/cloudflare/workers-sdk/pull/3498

reference_url

https://github.com/cloudflare/workers-sdk/releases/tag/wrangler%403.1.1

reference_id

reference_type

scores

value	5.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/cloudflare/workers-sdk/releases/tag/wrangler%403.1.1

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-3348

reference_id

reference_type

scores

value	5.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-3348

reference_url

https://github.com/advisories/GHSA-8c93-4hch-xgxp

reference_id

GHSA-8c93-4hch-xgxp

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-8c93-4hch-xgxp

reference_url

https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-8c93-4hch-xgxp

reference_id

GHSA-8c93-4hch-xgxp

reference_type

scores

value	5.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-09T20:30:56Z/

url

https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-8c93-4hch-xgxp

reference_url

https://github.com/cloudflare/workers-sdk

reference_id

workers-sdk

reference_type

scores

value	5.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-09T20:30:56Z/

url

https://github.com/cloudflare/workers-sdk

reference_url

https://developers.cloudflare.com/workers/wrangler/

reference_id

wrangler

reference_type

scores

value	5.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-09T20:30:56Z/

url

https://developers.cloudflare.com/workers/wrangler/

fixed_packages

url pkg:npm/wrangler@2.20.1

purl pkg:npm/wrangler@2.20.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3nh5-avj1-4qfp

vulnerability	VCID-nqyp-j2yy-w7ca

vulnerability	VCID-tyqy-tb73-3kaq

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/wrangler@2.20.1

url pkg:npm/wrangler@3.1.1

purl pkg:npm/wrangler@3.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3nh5-avj1-4qfp

vulnerability	VCID-nqyp-j2yy-w7ca

vulnerability	VCID-tyqy-tb73-3kaq

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/wrangler@3.1.1

aliases CVE-2023-3348, GHSA-8c93-4hch-xgxp

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2x7r-6sqf-ffeh

url

VCID-3nh5-avj1-4qfp

vulnerability_id

VCID-3nh5-avj1-4qfp

summary

Duplicate Advisory: Wrangler affected by OS Command Injection in `wrangler pages deploy`

references

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-0933

reference_id

CVE-2026-0933

reference_type

scores

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-0933

reference_url

https://github.com/advisories/GHSA-8h3q-9fpp-c883

reference_id

GHSA-8h3q-9fpp-c883

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-8h3q-9fpp-c883

fixed_packages

aliases

GHSA-8h3q-9fpp-c883

risk_score

4.0

exploitability

0.5

weighted_severity

8.0

resource_url

http://public2.vulnerablecode.io/vulnerabilities/VCID-3nh5-avj1-4qfp

url VCID-nqyp-j2yy-w7ca

vulnerability_id VCID-nqyp-j2yy-w7ca

summary Arbitrary remote code execution within `wrangler dev` Workers sandbox

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-7080

reference_id

reference_type

scores

value	0.00043
scoring_system	epss
scoring_elements	0.1346
published_at	2026-06-14T12:55:00Z

value	0.00043
scoring_system	epss
scoring_elements	0.13368
published_at	2026-06-11T12:55:00Z

value	0.00043
scoring_system	epss
scoring_elements	0.13485
published_at	2026-06-13T12:55:00Z

value	0.00043
scoring_system	epss
scoring_elements	0.13479
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-7080

reference_url

https://github.com/cloudflare/workers-sdk/commit/05b1bbd2f5b8e60268e30c276067c3a3ae1239cf

reference_id

reference_type

scores

value	9.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/cloudflare/workers-sdk/commit/05b1bbd2f5b8e60268e30c276067c3a3ae1239cf

reference_url

https://github.com/cloudflare/workers-sdk/commit/29df8e17545bf3926b6d61678b596be809d40c6d

reference_id

reference_type

scores

value	9.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/cloudflare/workers-sdk/commit/29df8e17545bf3926b6d61678b596be809d40c6d

reference_url

https://github.com/cloudflare/workers-sdk/commit/49a469601adaa9eb9e1f2d6de197c1979d5c6c1b

reference_id

reference_type

scores

value	9.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/cloudflare/workers-sdk/commit/49a469601adaa9eb9e1f2d6de197c1979d5c6c1b

reference_url

https://github.com/cloudflare/workers-sdk/commit/63708a94fb7a055bf15fa963f2d598b47b11d3c0

reference_id

reference_type

scores

value	9.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/cloudflare/workers-sdk/commit/63708a94fb7a055bf15fa963f2d598b47b11d3c0

reference_url

https://github.com/cloudflare/workers-sdk/issues/4430

reference_id

reference_type

scores

value	9.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/cloudflare/workers-sdk/issues/4430

reference_url

https://github.com/cloudflare/workers-sdk/pull/4437

reference_id

reference_type

scores

value	9.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/cloudflare/workers-sdk/pull/4437

reference_url

https://github.com/cloudflare/workers-sdk/pull/4535

reference_id

reference_type

scores

value	9.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/cloudflare/workers-sdk/pull/4535

reference_url

https://github.com/cloudflare/workers-sdk/pull/4550

reference_id

reference_type

scores

value	9.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/cloudflare/workers-sdk/pull/4550

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-7080

reference_id

CVE-2023-7080

reference_type

scores

value	9.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-7080

reference_url

https://github.com/advisories/GHSA-f8mp-x433-5wpf

reference_id

GHSA-f8mp-x433-5wpf

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-f8mp-x433-5wpf

reference_url

https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-f8mp-x433-5wpf

reference_id

GHSA-f8mp-x433-5wpf

reference_type

scores

value	9.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-f8mp-x433-5wpf

fixed_packages

url pkg:npm/wrangler@2.20.2

purl pkg:npm/wrangler@2.20.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3nh5-avj1-4qfp

vulnerability	VCID-tyqy-tb73-3kaq

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/wrangler@2.20.2

url pkg:npm/wrangler@3.19.0

purl pkg:npm/wrangler@3.19.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3nh5-avj1-4qfp

vulnerability	VCID-tyqy-tb73-3kaq

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/wrangler@3.19.0

aliases CVE-2023-7080, GHSA-f8mp-x433-5wpf

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nqyp-j2yy-w7ca

url VCID-tyqy-tb73-3kaq

vulnerability_id VCID-tyqy-tb73-3kaq

summary

SummaryA command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `--commit-hash` parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of `--commit-hash` to execute arbitrary commands on the system running Wrangler.




Root causeThe commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g.,  execSync(`git show -s --format=%B ${commitHash}`)). Shell metacharacters are interpreted by the shell, enabling command execution.




ImpactThis vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where `wrangler pages deploy` is used in automated pipelines and the 

--commit-hash parameter is populated from external, potentially untrusted sources. An attacker could exploit this to:

  *  Run any shell command.
  *  Exfiltrate environment variables.
  *  Compromise the CI runner to install backdoors or modify build artifacts.



Credits Disclosed responsibly by kny4hacker.




Mitigation
  *  Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher.
  *  Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher.
  *  Users on Wrangler v2 (EOL) should upgrade to a supported major version.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-0933

reference_id

reference_type

scores

value	0.00068
scoring_system	epss
scoring_elements	0.21213
published_at	2026-06-12T12:55:00Z

value	0.00068
scoring_system	epss
scoring_elements	0.2121
published_at	2026-06-14T12:55:00Z

value	0.00068
scoring_system	epss
scoring_elements	0.21229
published_at	2026-06-13T12:55:00Z

value	0.00068
scoring_system	epss
scoring_elements	0.21034
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-0933

reference_url

https://github.com/cloudflare/workers-sdk/commit/99b1f328a9afe181b49f1114ed47f15f6d25f0be

reference_id

reference_type

scores

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/cloudflare/workers-sdk/commit/99b1f328a9afe181b49f1114ed47f15f6d25f0be

reference_url

https://github.com/cloudflare/workers-sdk/releases/tag/wrangler%403.114.17

reference_id

reference_type

scores

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/cloudflare/workers-sdk/releases/tag/wrangler%403.114.17

reference_url

https://github.com/cloudflare/workers-sdk/releases/tag/wrangler%404.59.1

reference_id

reference_type

scores

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/cloudflare/workers-sdk/releases/tag/wrangler%404.59.1

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-0933

reference_id

CVE-2026-0933

reference_type

scores

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-0933

reference_url

https://github.com/advisories/GHSA-36p8-mvp6-cv38

reference_id

GHSA-36p8-mvp6-cv38

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-36p8-mvp6-cv38

reference_url

https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-36p8-mvp6-cv38

reference_id

GHSA-36p8-mvp6-cv38

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-36p8-mvp6-cv38

reference_url

https://github.com/cloudflare/workers-sdk

reference_id

workers-sdk

reference_type

scores

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-23T18:58:09Z/

url

https://github.com/cloudflare/workers-sdk

fixed_packages

url pkg:npm/wrangler@3.114.17

purl pkg:npm/wrangler@3.114.17

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3nh5-avj1-4qfp

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/wrangler@3.114.17

url pkg:npm/wrangler@4.59.1

purl pkg:npm/wrangler@4.59.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3nh5-avj1-4qfp

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/wrangler@4.59.1

aliases CVE-2026-0933, GHSA-36p8-mvp6-cv38

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tyqy-tb73-3kaq

Fixing_vulnerabilities

Risk_score 4.5

Resource_url http://public2.vulnerablecode.io/packages/pkg:npm/wrangler@2.18.0

Package Instance