9.8
CVE-2026-41242
- EPSS 0.58%
- Veröffentlicht 18.04.2026 16:18:10
- Zuletzt bearbeitet 23.04.2026 15:26:37
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Loginprotobufjs has an arbitrary code execution issue
protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Protobufjs Project ≫ Protobufjs SwPlatformnode.js Version < 7.5.5
Protobufjs Project ≫ Protobufjs Version8.0.0 SwPlatformnode.js
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.58% | 0.428 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| security-advisories@github.com | 9.4 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-94 Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg
https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75
https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956
https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5
https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1