CVE-2026-41242

N/A Unknown
Published: April 18, 2026 Modified: April 18, 2026
View on NVD

Description

protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75
Source: security-advisories@github.com
https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956
Source: security-advisories@github.com
https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5
Source: security-advisories@github.com
https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1
Source: security-advisories@github.com
https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg
Source: security-advisories@github.com

5 reference(s) from NVD

Quick Stats

CVSS v3 Score
N/A / 10.0
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-94

Related CVEs

CVE-2026-6563 8.8
CVE-2026-6562 7.3
CVE-2026-6561 4.7
CVE-2026-6560 8.8
CVE-2026-6559 4.3