CVE-2026-55849información

Resumen

por MITRE • 2026-07-08

@cyclonedx/cyclonedx-npm creates CycloneDX Software Bill of Materials from npm projects. From 2.1.0 before 5.0.0, the CLI passes user-supplied --workspace values to a subshell without proper sanitization when npm_execpath is unset or empty, allowing arbitrary OS command execution with the privileges of the invoking user. This issue is fixed in version 5.0.0.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Divulgación

2026-07-08

Moderación

en revisión

EPSS

0.00000

KEV

no

Actividades

muy bajo

Fuentes

Interested in the pricing of exploits?

See the underground prices here!