CVE-2026-55849 in cyclonedx-node-npminfo

Zusammenfassung

von MITRE • 09.07.2026

@cyclonedx/cyclonedx-npm creates CycloneDX Software Bill of Materials from npm projects. From 2.1.0 before 5.0.0, the CLI passes user-supplied --workspace values to a subshell without proper sanitization when npm_execpath is unset or empty, allowing arbitrary OS command execution with the privileges of the invoking user. This issue is fixed in version 5.0.0.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Zuständig

GitHub M

Reservieren

17.06.2026

Veröffentlichung

09.07.2026

Moderieren

akzeptiert

Eintrag

VDB-377106

CPE

bereit

EPSS

0.00000

KEV

nein

Aktivitäten

very low

Quellen

Might our Artificial Intelligence support you?

Check our Alexa App!