Main Vulnerability Database Vulnerabilities #VU134485

Code Injection in protobufjs-cli - CVE-2026-54271

Published: June 13, 2026

Vulnerability identifier: #VU134485

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-54271

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: protobuf.js

Affected software:
protobufjs-cli

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper control of code generation in pbjs static and static-module code generation when processing crafted pre-parsed JSON descriptors. A remote attacker can provide a specially crafted JSON descriptor to execute arbitrary code.

User interaction is required because the generated JavaScript must later be executed or imported and an affected generated API path must be invoked.

How to mitigate CVE-2026-54271

Install security update from vendor's website.

Sources

https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-pr59-h9ph-3fr8

Code Injection in protobufjs-cli - CVE-2026-54271

Detailed vulnerability description

How to mitigate CVE-2026-54271

Sources

Please verify you're human