Main Vulnerability Database Vulnerabilities #VU131161

Code Injection in protobufjs-cli - CVE-2026-44295

Published: May 12, 2026

Vulnerability identifier: #VU131161

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-44295

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: protobuf.js

Affected software:
protobufjs-cli

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper control of code generation in pbjs static code generation output when processing a crafted schema or JSON descriptor. A remote user can provide crafted schema names to inject attacker-controlled code into generated JavaScript output to execute arbitrary code.

User interaction is required because the generated JavaScript file must later be executed, imported, or otherwise evaluated.

How to mitigate CVE-2026-44295

Install security update from vendor's website.

Sources

https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-6r35-46g8-jcw9

Code Injection in protobufjs-cli - CVE-2026-44295

Detailed vulnerability description

How to mitigate CVE-2026-44295

Sources

Please verify you're human