Main Vulnerability Database SB2026061304

SB2026061304 - Code injection in protobufjs-cli

Published: June 13, 2026

Security Bulletin ID SB2026061304

CSH Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Code Injection (CVE-ID: CVE-2026-54271)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper control of code generation in pbjs static and static-module code generation when processing crafted pre-parsed JSON descriptors. A remote attacker can provide a specially crafted JSON descriptor to execute arbitrary code.

User interaction is required because the generated JavaScript must later be executed or imported and an affected generated API path must be invoked.

Remediation

Install update from vendor's website.

References

https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-pr59-h9ph-3fr8