CVE-2026-55849
The CVE affects @cyclonedx/cyclonedx-npm: from 2.1.0 up to 5.0.0, the CLI passes user-supplied --workspace values to a subshell when npm_execpath is unset or empty, enabling arbitrary OS command execution with the invoking user’s privileges. Root cause is unsanitized input used in a shell command...