@cyclonedx/cyclonedx-npm creates CycloneDX Software Bill of Materials from npm projects. From 2.1.0 before 5.0.0, the CLI passes user-supplied --workspace values to a subshell without proper sanitization when npm_execpath is unset or empty, allowing arbitrary OS command execution with the privileges of the invoking user. This issue is fixed in version 5.0.0.
History

Fri, 10 Jul 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Cyclonedx
Cyclonedx cyclonedx Node Npm
Vendors & Products Cyclonedx
Cyclonedx cyclonedx Node Npm

Thu, 09 Jul 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 08 Jul 2026 21:45:00 +0000

Type Values Removed Values Added
Description @cyclonedx/cyclonedx-npm creates CycloneDX Software Bill of Materials from npm projects. From 2.1.0 before 5.0.0, the CLI passes user-supplied --workspace values to a subshell without proper sanitization when npm_execpath is unset or empty, allowing arbitrary OS command execution with the privileges of the invoking user. This issue is fixed in version 5.0.0.
Title @cyclonedx/cyclonedx-npm: Shell Injection via Unsanitized `--workspace` Argument
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-07-08T21:10:15.798Z

Updated: 2026-07-09T19:36:40.011Z

Reserved: 2026-06-17T16:44:40.994Z

Link: CVE-2026-55849

cve-icon Vulnrichment

Updated: 2026-07-09T19:36:36.494Z

cve-icon NVD

No data.

cve-icon Redhat

No data.