CVE-2026-44293 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: May 13, 2026
protobufjs - Code Injection
Published: May 13, 2026Updated: May 13, 2026Remote Exploitable
Overview
protobufjs < 7.5.6 and < 8.0.2 contains a code injection vulnerability caused by unsafe expression generation from schema-controlled bytes field default values, letting attackers inject code into generated toObject conversion functions, exploit requires crafted protobuf descriptors.
Severity & Score
Severity: High
CVSS Score: 8.8
Impact
Attackers can inject and execute arbitrary code in generated JavaScript functions, leading to remote code execution.
Mitigation
Update to version 7.5.6 or 8.0.2 or later.
Related Resources
Details
- CVE ID
- CVE-2026-44293
- Severity
- High
- CVSS Score
- 8.8
- Type
- template_injection
- Status
- confirmed
CWE
- CWE-94
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H