Arbitrary OS Command Execution in CycloneDX Software Bill of Materials CLI by CycloneDX
CVE-2026-55849
8.5HIGH
What is CVE-2026-55849?
The CycloneDX Software Bill of Materials CLI versions 2.1.0 to 4.9.9 is susceptible to arbitrary OS command execution. This vulnerability arises when the CLI processes user-defined workspace values through a subshell without adequate input sanitization, particularly when the npm_execpath variable is unset or empty. Exploiting this flaw allows attackers to execute arbitrary commands with the permissions of the user running the CLI. Users are urged to upgrade to version 5.0.0 or later, where this security issue has been resolved.
Affected Version(s)
cyclonedx-node-npm >= 2.1.0, < 5.0.0
