CVE Catalog

CVE-2026-41242

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
0.75%

50th percentile — higher than 50% of all known CVEs

Summary

A vulnerability in the protobufjs library allows arbitrary JavaScript code injection via specially crafted 'type' fields in protobuf definitions. The code executes during object decoding using that definition. The issue is fixed in versions 8.0.1 and 7.5.5.

Risk Assessment

An attacker can remotely execute arbitrary JavaScript code in the context of the application using protobufjs, leading to system compromise, data theft, or further attack propagation.

Recommendation

Immediately update protobufjs to version 8.0.1 or 7.5.5. Before updating, review any protobuf definitions from untrusted sources for malicious content.

Original NVD description (English source)

protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS