Vulnerability Report

CVE-2026-41242

RCE

Title: Arbitrary Code Injection in protobufjs

RCE

Proof Of Concept

PoC Available for CVE-2026-41242

CWE Category CWE-94

Published Date Apr 18, 2026

Modified Date Apr 23, 2026

Exploit Status Available

Score 9.4 CVSS v4.0

Exploit Probability (EPSS)

0.58%

Vulnerability Summary

CVE-2026-41242: protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.

Impacted Vendors

protobufjs_project 1

Reference Links

https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75 https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956 https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5 https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1 https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg

CVSS v4.0

Source Entity [email protected]

Severity CRITICAL

9.4

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

N/A

RAW VECTOR

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS v3.1