CVE-2026-41242

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions protobufjs versions prior to 8.0.1 protobufjs versions prior to 7.5.5

Description This issue involves improper code generation when compiling protobuf definitions into JavaScript functions. Attackers can inject arbitrary code into the 'type' fields of protobuf definitions, which leads to remote code execution during the object decoding process.

Recommendations Update to version 8.0.1. Update to version 7.5.5. Avoid decoding untrusted protobuf definitions.

Fix

RCE

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

BDU:2026-05548

CVE-2026-41242

Affected Products

Protobufjs

CVE-2026-41242

Weakness Enumeration

Related Identifiers

Affected Products

References · 22