CVE-2026-42290

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-42290

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-42290.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2026-42290

Aliases

GHSA-f84p-cvgm-xgjj

Related

CGA-vfc5-249v-j9vx

Published

2026-05-13T14:49:30.030Z

Modified

2026-06-18T03:57:36.511998988Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

protobufjs-cli: OS Command Injection

Details

protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbts invoked JSDoc by building a shell command string from input file paths and executing it through child_process.exec. File paths containing shell metacharacters could therefore be interpreted by the shell instead of being passed to JSDoc as plain arguments. This vulnerability is fixed in 1.2.1 and 2.0.2.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-78"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42290.json"
}

References

Affected packages

Git / github.com/protobufjs/protobuf.js

Affected ranges

Type

GIT

Repo

https://github.com/protobufjs/protobuf.js

Events

Introduced

Fixed

2189e5beeca6a70e4c104dfdb9fb8200bc5f81fe

Introduced

933e8750dcd000c16a621a7344a4beaa034c4019

Fixed

658b93e163d9aff8c31236c168657bab5e2d9bbc

Database specific

{
    "cpe": "cpe:2.3:a:protobufjs_project:protobufjs-cli:*:*:*:*:*:node.js:*:*",
    "source": "CPE_RANGE",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.2.1"
        },
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.0.2"
        }
    ]
}

Affected versions

6.*

6.0.0

6.0.1

6.0.2

6.1.0

6.1.1

6.2.0

6.2.1

6.3.0

6.3.1

6.4.0

6.4.1

6.4.2

6.4.3

6.4.4

6.4.5

6.4.6

6.5.0

6.5.1

6.5.2

6.5.3

6.6.0

6.6.1

6.6.2

6.6.3

6.6.4

6.6.5

6.7.0

6.7.1

6.7.2

6.7.3

6.8.0

6.8.1

6.8.2

6.8.3

6.8.4

6.8.5

6.8.6

6.8.7

6.8.8

protobufjs-cli-v1.*

protobufjs-cli-v1.0.0

protobufjs-cli-v1.0.1

protobufjs-cli-v1.0.2

protobufjs-cli-v1.1.0

protobufjs-cli-v1.1.1

protobufjs-cli-v1.1.2

protobufjs-cli-v1.1.3

protobufjs-cli-v1.1.4

protobufjs-cli-v1.2.0

protobufjs-cli-v2.*

protobufjs-cli-v2.0.0

protobufjs-cli-v2.0.1

protobufjs-v7.*

protobufjs-v7.0.0

protobufjs-v7.1.0

protobufjs-v7.1.1

protobufjs-v7.1.2

protobufjs-v7.2.0

protobufjs-v7.2.1

protobufjs-v7.2.2

protobufjs-v7.2.3

protobufjs-v7.2.4

protobufjs-v7.2.5

protobufjs-v7.2.6

protobufjs-v7.3.0

protobufjs-v7.3.1

protobufjs-v7.3.2

protobufjs-v7.3.3

protobufjs-v7.4.0

protobufjs-v7.5.0

protobufjs-v7.5.1

protobufjs-v7.5.2

protobufjs-v7.5.3

protobufjs-v7.5.4

protobufjs-v7.5.5

protobufjs-v8.*

protobufjs-v8.0.0

protobufjs-v8.0.1

v6.*

v6.10.0

v6.10.0-beta.0

v6.10.0-beta.1

v6.10.0-beta.2

v6.10.1

v6.10.1-beta.0

v6.10.2

v6.9.0

v6.9.0-beta.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-42290.json"