Home / Vulnerability Intelligence / CVE-2026-44295

CVE-2026-44295 - Vulnerability Analysis

HighCVSS: 8.7

Last Updated: May 13, 2026

protobufjs-cli - Template Injection

Published: May 13, 2026Updated: May 13, 2026Remote Exploitable

Overview

protobufjs-cli < 1.2.1 and < 2.0.2 contains a code injection vulnerability caused by insufficient sanitization of schema-controlled names in static code generation, letting attackers inject unsafe JavaScript identifiers, exploit requires crafted schema or JSON descriptor.

Severity & Score

Severity: High

CVSS Score: 8.7

EPSS Score: 3.2%(Probability of exploitation in next 30 days)

Impact

Attackers can inject unsafe JavaScript identifiers, potentially leading to code execution or logic manipulation in generated code.

Mitigation

Update to versions 1.2.1 or 2.0.2 or later.

References

https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-6r35-46g8-jcw9

Social Media Activity(2 posts)

TheHackerWire

@thehackerwire

May 13, 2026

🟠 CVE-2026-44295 - High (8.7) protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbjs static code generation could emit unsafe JavaScript identifiers derived from schema-controlled names. When generating static JavaScript from a crafted schema... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-44295/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

TheHackerWire

@thehackerwire

May 13, 2026

View original post

Related Resources

Details

CVE ID: CVE-2026-44295
Severity: High
CVSS Score: 8.7
Type: template_injection
Status: unconfirmed
EPSS: 3.2%
Social Posts: 2

CWE

CWE-94

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

EPSS Score

3.2%Probability of exploitation in the next 30 days