Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-v75r-vx73-82pj | @cyclonedx/cyclonedx-npm: Shell Injection via Unsanitized --workspace Argument |
Thu, 09 Jul 2026 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 08 Jul 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | @cyclonedx/cyclonedx-npm creates CycloneDX Software Bill of Materials from npm projects. From 2.1.0 before 5.0.0, the CLI passes user-supplied --workspace values to a subshell without proper sanitization when npm_execpath is unset or empty, allowing arbitrary OS command execution with the privileges of the invoking user. This issue is fixed in version 5.0.0. | |
| Title | @cyclonedx/cyclonedx-npm: Shell Injection via Unsanitized `--workspace` Argument | |
| Weaknesses | CWE-78 | |
| References |
|
|
| Metrics |
cvssV4_0
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-09T19:36:40.011Z
Reserved: 2026-06-17T16:44:40.994Z
Link: CVE-2026-55849
Updated: 2026-07-09T19:36:36.494Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-09T04:00:11Z
Github GHSA