Arbitrary OS Command Execution in CycloneDX Software Bill of Materials CLI by CycloneDX
CVE-2026-55849

8.5HIGH

Key Information:

Vendor

Cyclonedx

Vendor
CVE Published:
8 July 2026

What is CVE-2026-55849?

The CycloneDX Software Bill of Materials CLI versions 2.1.0 to 4.9.9 is susceptible to arbitrary OS command execution. This vulnerability arises when the CLI processes user-defined workspace values through a subshell without adequate input sanitization, particularly when the npm_execpath variable is unset or empty. Exploiting this flaw allows attackers to execute arbitrary commands with the permissions of the user running the CLI. Users are urged to upgrade to version 5.0.0 or later, where this security issue has been resolved.

Affected Version(s)

cyclonedx-node-npm >= 2.1.0, < 5.0.0

References

CVSS V4

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.