CVE-2026-41242

UNKNOWN 0.0

protobufjs has an arbitrary code execution issue

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.

CWE	CWE-94
Vendor	protobufjs
Product	protobuf.js
Published	Apr 18, 2026

Stay Ahead of the Next One

Get instant alerts for protobufjs protobuf.js

Be the first to know when new unknown vulnerabilities affecting protobufjs protobuf.js are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

protobufjs / protobuf.js

< 7.5.5 >= 8.0.0-experimental, < 8.0.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg github.com: https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75 github.com: https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956 github.com: https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5 github.com: https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1