← Voltar para CVEs
CVE-2026-41242
N/ADescricao
protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.
Detalhes CVE
Pontuacao CVSS v3.1N/A
Publicado4/18/2026
Ultima modificacao4/18/2026
Fontenvd
Avistamentos honeypot0
Fraquezas (CWE)
CWE-94
Referencias
https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75(security-advisories@github.com)
https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956(security-advisories@github.com)
https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5(security-advisories@github.com)
https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1(security-advisories@github.com)
https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg(security-advisories@github.com)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.