CVE-2026-55849

HIGH

@cyclonedx/cyclonedx-npm: Shell Injection via Unsanitized `--workspace` Argument

Title source: cna
STIX 2.1

Description

@cyclonedx/cyclonedx-npm creates CycloneDX Software Bill of Materials from npm projects. From 2.1.0 before 5.0.0, the CLI passes user-supplied --workspace values to a subshell without proper sanitization when npm_execpath is unset or empty, allowing arbitrary OS command execution with the privileges of the invoking user. This issue is fixed in version 5.0.0.

Scores

CVSS v4 8.5
EPSS 0.0016
EPSS Percentile 5.5%
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-78
Status published
Products (1)
CycloneDX/cyclonedx-node-npm >= 2.1.0, < 5.0.0
Published Jul 08, 2026
Tracked Since Jul 09, 2026