A vulnerability, which was classified as problematic, has been found in CycloneDX cyclonedx-node-npm up to 4.x. This vulnerability affects unknown code of the component CLI. The manipulation of the argument –workspace leads to os command injection.

This vulnerability is referenced as CVE-2026-55849. The attack can only be performed from a local environment. No exploit is available.