CVE-2026-41242CRITICAL 9.8EPSS p42.9%

CVE-2026-41242CVE-2026-41242

Description

protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.57% probability of exploitation · percentile 42.9% · 2026-06-19T12:03:05Z
Published2026-04-18
Last modified2026-04-23

Underlying weaknesses· 1

CWE-94

References

  1. https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75
  2. https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956
  3. https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5
  4. https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1
  5. https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg

1

TypeTargetConfidenceTier
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-44291
CVE
CVE-2026-44293
CVE
CVE-2026-44295
CVE
CVE-2026-44728
CVE
CVE-2026-45302
CVE
CVE-2026-49493
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.