CVE-2026-44293

Source
https://cve.org/CVERecord?id=CVE-2026-44293
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-44293.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-44293
Aliases
Downstream
Related
Published
2026-05-13T14:43:33.342Z
Modified
2026-07-12T03:55:35.636135861Z
Severity
  • 7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
protobufjs: Code injection through bytes field defaults in generated toObject code
Details

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default value for a bytes field could cause attacker-controlled code to be emitted into the generated conversion function. This vulnerability is fixed in 7.5.6 and 8.0.2.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-94"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44293.json"
}
References

Affected packages

Git / github.com/protobufjs/protobuf.js

Affected ranges

Type
GIT
Repo
https://github.com/protobufjs/protobuf.js
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Introduced
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:protobufjs_project:protobufjs:*:*:*:*:*:node.js:*:*",
    "source": "CPE_RANGE",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "7.5.6"
        },
        {
            "introduced": "8.0.0"
        },
        {
            "fixed": "8.0.2"
        }
    ]
}

Affected versions

6.*
6.0.0
6.0.1
6.0.2
6.1.0
6.1.1
6.2.0
6.2.1
6.3.0
6.3.1
6.4.0
6.4.1
6.4.2
6.4.3
6.4.4
6.4.5
6.4.6
6.5.0
6.5.1
6.5.2
6.5.3
6.6.0
6.6.1
6.6.2
6.6.3
6.6.4
6.6.5
6.7.0
6.7.1
6.7.2
6.7.3
6.8.0
6.8.1
6.8.2
6.8.3
6.8.4
6.8.5
6.8.6
6.8.7
6.8.8
protobufjs-cli-v1.*
protobufjs-cli-v1.0.0
protobufjs-cli-v1.0.1
protobufjs-cli-v1.0.2
protobufjs-cli-v1.1.0
protobufjs-cli-v1.1.1
protobufjs-cli-v1.1.2
protobufjs-cli-v1.1.3
protobufjs-cli-v1.1.4
protobufjs-cli-v1.2.0
protobufjs-cli-v2.*
protobufjs-cli-v2.0.0
protobufjs-cli-v2.0.1
protobufjs-v7.*
protobufjs-v7.0.0
protobufjs-v7.1.0
protobufjs-v7.1.1
protobufjs-v7.1.2
protobufjs-v7.2.0
protobufjs-v7.2.1
protobufjs-v7.2.2
protobufjs-v7.2.3
protobufjs-v7.2.4
protobufjs-v7.2.5
protobufjs-v7.2.6
protobufjs-v7.3.0
protobufjs-v7.3.1
protobufjs-v7.3.2
protobufjs-v7.3.3
protobufjs-v7.4.0
protobufjs-v7.5.0
protobufjs-v7.5.1
protobufjs-v7.5.2
protobufjs-v7.5.3
protobufjs-v7.5.4
protobufjs-v7.5.5
protobufjs-v8.*
protobufjs-v8.0.0
protobufjs-v8.0.1
v6.*
v6.10.0
v6.10.0-beta.0
v6.10.0-beta.1
v6.10.0-beta.2
v6.10.1
v6.10.1-beta.0
v6.10.2
v6.9.0
v6.9.0-beta.0

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-44293.json"