@cyclonedx/cyclonedx-npm: Shell Injection via Unsanitized --workspace Argument
Summary A command injection vulnerability exists in @cyclonedx/cyclonedx-npm when the CLI is invoked with the --workspace option while the environment variable npmexecpath is unset or empty. User‑supplied --workspace values are passed to a subshell without proper sanitization, enabling attackers ...