Browse all 4 CVE security advisories affecting CycloneDX. AI-powered Chinese analysis, POCs, and references for each vulnerability.
CycloneDX serves as an open standard for software bill of materials (SBOM) generation, enabling organizations to inventory and manage components in their software supply chain. Historically, vulnerabilities in CycloneDX implementations have included cross-site scripting (XSS), remote code execution (RCE), and privilege escalation flaws, often stemming from improper input validation or insecure deserialization. While no major security incidents have been widely reported, the presence of four CVEs highlights potential risks in SBOM processing tools. The project's security posture emphasizes transparency through vulnerability disclosure, though adoption of secure coding practices remains critical as SBOM usage grows in software ecosystems.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2025-64518 | CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection — cyclonedx-core-javaCWE-611 | 7.5 | High | 2025-11-10 |
| CVE-2024-38374 | Improper Restriction of XML External Entity Reference in org.cyclonedx:cyclonedx-core-java — cyclonedx-core-javaCWE-611 | 7.5 | High | 2024-06-28 |
This page lists every published CVE security advisory associated with CycloneDX. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.