{
  "title": "@cyclonedx/cdxgen Maven Scanner Command Injection",
  "summary": "CycloneDX cdxgen before 12.4.3 could execute shell metacharacters from repository-controlled Maven module paths when scanning attacker-controlled projects, putting developer workstations and CI SBOM runners at risk.",
  "date": "2026-06-26",
  "severity": "high",
  "tags": [
    "cyclonedx",
    "cdxgen",
    "sbom",
    "maven",
    "developer-tooling"
  ],
  "sources_count": 3,
  "indicators": {
    "slug": "cyclonedx-cdxgen-maven-scanning-command-injection",
    "since": "2026-06-26T00:00:00Z",
    "until": "2026-06-26T23:59:59Z",
    "ecosystem": "",
    "cves": [],
    "cwes": [],
    "advisoryIds": [],
    "products": [],
    "packages": [],
    "versions": [],
    "affectedVersions": [],
    "fixedVersions": [],
    "files": [],
    "paths": [],
    "services": [],
    "domains": [],
    "urls": [],
    "ips": [],
    "hashes": [],
    "processPatterns": [],
    "networkPatterns": [],
    "telemetrySelectors": []
  }
}