CVE-2026-42290

7.8 HIGH

protobufjs-cli is the command line add-on for protobuf.js

Published: 2026-05-13 · Last updated: 2026-05-19

Severity and scoring

CVSS: 7.8 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-78

Affected products

Vendor	Product
protobufjs_project	protobufjs-cli

Description

protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbts invoked JSDoc by building a shell command string from input file paths and executing it through child_process.exec. File paths containing shell metacharacters could therefore be interpreted by the shell instead of being passed to JSDoc as plain arguments. This vulnerability is fixed in 1.2.1 and 2.0.2.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-42290
[Vendor advisory]https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-f84p-cvgm-xgjj

Related CVEs

Same vendor

CVE-2026-44295 — protobufjs-cli is the command line add-on for protobuf.js (8.7 HIGH)
CVE-2026-44288 — protobufjs compiles protobuf definitions into JavaScript (JS) functions (5.3 MEDIUM)

Same CWE

CVE-2026-49219 — ImageMagick is free and open-source software used for editing and manipulating digital images (5.5 MEDIUM)
CVE-2026-42563 — Dulwich is a pure-Python implementation of the Git file formats and protocols
CVE-2026-0273 — A command injection vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to bypass system restrict...
CVE-2026-6893 — A flaw was found in dracut (8.8 HIGH)
CVE-2026-46643 — Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page