CVE-2026-55849
Severity CVSS v4.0:
HIGH
Type:
CWE-78
OS Command Injections
Publication date:
08/07/2026
Last modified:
09/07/2026
Description
@cyclonedx/cyclonedx-npm creates CycloneDX Software Bill of Materials from npm projects. From 2.1.0 before 5.0.0, the CLI passes user-supplied --workspace values to a subshell without proper sanitization when npm_execpath is unset or empty, allowing arbitrary OS command execution with the privileges of the invoking user. This issue is fixed in version 5.0.0.
Impact
Base Score 4.0
8.50
Severity 4.0
HIGH
References to Advisories, Solutions, and Tools
- https://github.com/CycloneDX/cyclonedx-node-npm/commit/9f646253f4263d8644dadb86e5597fad996f688f
- https://github.com/CycloneDX/cyclonedx-node-npm/pull/1476
- https://github.com/CycloneDX/cyclonedx-node-npm/releases/tag/v5.0.0
- https://github.com/CycloneDX/cyclonedx-node-npm/security/advisories/GHSA-v75r-vx73-82pj



