CVE-2026-44294

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

5.3 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L                                    

Vulnerability Description

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded into generated function bodies. A crafted schema or JSON descriptor could therefore cause generated encode, decode, verify, or conversion functions to fail during compilation. This vulnerability is fixed in 7.5.6 and 8.0.2.

Vulnerability Details

Published Date

May 12, 2026

Last Modified

May 13, 2026

CWE ID

CWE-20

Source

GitHub

Vendor

npm

Product

protobufjs

External References

https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-2pr8-phx7-x9h3
https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6
https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2
https://github.com/advisories/GHSA-2pr8-phx7-x9h3

CVE-2026-44294

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment