@cyclonedx/cdxgen Maven Scanner Command Injection
ConfirmedDiscovered Jun 26, 2026
CycloneDX cdxgen before 12.4.3 could execute shell metacharacters from repository-controlled Maven module paths when scanning attacker-controlled projects, putting developer workstations and CI SBOM runners at risk.
1
Affected Packages
10
Observables
4
Sources
Timeline
| Date | Event | Description | Source |
|---|---|---|---|
| Jun 26, 2026 | Fresh source review | Reviewed direct and primary sources for the last-two-weeks supply-chain refresh; this preview intentionally excludes older Halting Problems article data. | Direct source |
Affected Software
| Package | Ecosystem | Version Range | Status | Confidence | Source |
|---|---|---|---|---|---|
| @cyclonedx/cdxgen < 12.4.3 | npm | unknown | Malicious | 90% | Direct source |
IOC Clipboard
10 IOCsurl
https://github.com/cdxgen/cdxgen/security/advisories/GHSA-5vwr-qchf-q4pfurl
https://github.com/cdxgen/cdxgen/pull/4059file_path
package.jsonfile_path
package-lock.jsonfile_path
pnpm-lock.yamlfile_path
yarn.lockfile_path
.github/workflowscommand
cdxgencommand
--type mavencommand
-t mavenProvenance & Sources
| Source | Type | Reliability | Claims | Evidence |
|---|---|---|---|---|
| Direct source | direct | 95% | 1 | https://github.com/cdxgen/cdxgen/security/advisories/GHSA-5vwr-qchf-q4pf |
| Direct source | direct | 95% | 1 | https://github.com/cdxgen/cdxgen/pull/4059 |
| Primary research | primary research | 95% | 1 | https://github.com/cdxgen/cdxgen/security/advisories/GHSA-5vwr-qchf-q4pf |
| Correlated source | correlated | 80% | 1 | https://github.com/advisories/GHSA-5vwr-qchf-q4pf |