{"id":"CVE-2026-55849","summary":"@cyclonedx/cyclonedx-npm: Shell Injection via Unsanitized `--workspace` Argument","details":"@cyclonedx/cyclonedx-npm creates CycloneDX Software Bill of Materials from npm projects. From 2.1.0 before 5.0.0, the CLI passes user-supplied --workspace values to a subshell without proper sanitization when npm_execpath is unset or empty, allowing arbitrary OS command execution with the privileges of the invoking user. This issue is fixed in version 5.0.0.","aliases":["GHSA-v75r-vx73-82pj"],"modified":"2026-07-15T01:49:22.624613073Z","published":"2026-07-08T21:10:15.798Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-78"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55849.json"},"references":[{"type":"WEB","url":"https://github.com/CycloneDX/cyclonedx-node-npm/releases/tag/v5.0.0"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55849.json"},{"type":"ADVISORY","url":"https://github.com/CycloneDX/cyclonedx-node-npm/security/advisories/GHSA-v75r-vx73-82pj"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-55849"},{"type":"FIX","url":"https://github.com/CycloneDX/cyclonedx-node-npm/commit/9f646253f4263d8644dadb86e5597fad996f688f"},{"type":"FIX","url":"https://github.com/CycloneDX/cyclonedx-node-npm/pull/1476"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cyclonedx/cyclonedx-node-npm","events":[{"introduced":"e67af5e133e9263f4e9c4a634cab5ac122d0f7f3"},{"fixed":"756bde16c2aab0618114083301bc8b1b3f344208"},{"fixed":"9f646253f4263d8644dadb86e5597fad996f688f"}],"database_specific":{"source":["DESCRIPTION","REFERENCES"],"extracted_events":[{"introduced":"2.1.0"},{"fixed":"5.0.0"}]}}],"versions":["v4.2.1","v4.2.0","v4.1.2","v4.1.1","v4.1.1-rc.0","v4.1.0","v4.0.3","v4.0.2","v4.0.1","v4.0.0","v3.1.0","v3.0.0","v2.1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55849.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}