CVE-2026-44295

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-44295

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-44295.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2026-44295

Aliases

GHSA-6r35-46g8-jcw9

Related

CGA-cfx3-5gjg-3j69

Published

2026-05-13T14:50:39.216Z

Modified

2026-06-18T03:56:18.915746080Z

Severity

8.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N CVSS Calculator

Summary

protobufjs-cli: Code injection in pbjs static output from crafted schema names

Details

protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbjs static code generation could emit unsafe JavaScript identifiers derived from schema-controlled names. When generating static JavaScript from a crafted schema or JSON descriptor, certain namespace, enum, service, or derived full names could be written into the generated output without sufficient sanitization. This vulnerability is fixed in 1.2.1 and 2.0.2.

Database specific

{
    "cwe_ids": [
        "CWE-94"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44295.json"
}

References

Affected packages

Git / github.com/protobufjs/protobuf.js

Affected ranges

Type

GIT

Repo

https://github.com/protobufjs/protobuf.js

Events

Introduced

Fixed

2189e5beeca6a70e4c104dfdb9fb8200bc5f81fe

Introduced

933e8750dcd000c16a621a7344a4beaa034c4019

Fixed

658b93e163d9aff8c31236c168657bab5e2d9bbc

Database specific

{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.2.1"
        },
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.0.2"
        }
    ],
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:protobufjs_project:protobufjs-cli:*:*:*:*:*:node.js:*:*"
}

Affected versions

6.*

6.0.0

6.0.1

6.0.2

6.1.0

6.1.1

6.2.0

6.2.1

6.3.0

6.3.1

6.4.0

6.4.1

6.4.2

6.4.3

6.4.4

6.4.5

6.4.6

6.5.0

6.5.1

6.5.2

6.5.3

6.6.0

6.6.1

6.6.2

6.6.3

6.6.4

6.6.5

6.7.0

6.7.1

6.7.2

6.7.3

6.8.0

6.8.1

6.8.2

6.8.3

6.8.4

6.8.5

6.8.6

6.8.7

6.8.8

protobufjs-cli-v1.*

protobufjs-cli-v1.0.0

protobufjs-cli-v1.0.1

protobufjs-cli-v1.0.2

protobufjs-cli-v1.1.0

protobufjs-cli-v1.1.1

protobufjs-cli-v1.1.2

protobufjs-cli-v1.1.3

protobufjs-cli-v1.1.4

protobufjs-cli-v1.2.0

protobufjs-cli-v2.*

protobufjs-cli-v2.0.0

protobufjs-cli-v2.0.1

protobufjs-v7.*

protobufjs-v7.0.0

protobufjs-v7.1.0

protobufjs-v7.1.1

protobufjs-v7.1.2

protobufjs-v7.2.0

protobufjs-v7.2.1

protobufjs-v7.2.2

protobufjs-v7.2.3

protobufjs-v7.2.4

protobufjs-v7.2.5

protobufjs-v7.2.6

protobufjs-v7.3.0

protobufjs-v7.3.1

protobufjs-v7.3.2

protobufjs-v7.3.3

protobufjs-v7.4.0

protobufjs-v7.5.0

protobufjs-v7.5.1

protobufjs-v7.5.2

protobufjs-v7.5.3

protobufjs-v7.5.4

protobufjs-v7.5.5

protobufjs-v8.*

protobufjs-v8.0.0

protobufjs-v8.0.1

v6.*

v6.10.0

v6.10.0-beta.0

v6.10.0-beta.1

v6.10.0-beta.2

v6.10.1

v6.10.1-beta.0

v6.10.2

v6.9.0

v6.9.0-beta.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-44295.json"