RCE in Cyclonedx Cyclonedx-node-npm

CVE-2026-55849

@cyclonedx/cyclonedx-npm creates CycloneDX Software Bill of Materials from npm projects. From 2.1.0 before 5.0.0, the CLI passes user-supplied --workspace values to a subshell without proper sanitization when npm_execpath is unset or empty…

Vulnerability class: Command Injection (OS Command Injection)

Affected products

Weakness classification (CWE)

References