CVE-2026-44295

8.7 HIGH

protobufjs-cli is the command line add-on for protobuf.js

Published: 2026-05-13 · Last updated: 2026-05-19

Severity and scoring

CVSS: 8.7 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
CWE: CWE-94

Affected products

Vendor	Product
protobufjs_project	protobufjs-cli

Description

protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbjs static code generation could emit unsafe JavaScript identifiers derived from schema-controlled names. When generating static JavaScript from a crafted schema or JSON descriptor, certain namespace, enum, service, or derived full names could be written into the generated output without sufficient sanitization. This vulnerability is fixed in 1.2.1 and 2.0.2.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-44295
[Vendor advisory]https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-6r35-46g8-jcw9

Related CVEs

Same vendor

CVE-2026-44288 — protobufjs compiles protobuf definitions into JavaScript (JS) functions (5.3 MEDIUM)
CVE-2026-42290 — protobufjs-cli is the command line add-on for protobuf.js (7.8 HIGH)

Same CWE

CVE-2026-50223 — Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz allows a low-privileged authenticated user with C...
CVE-2026-45558 — Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers (9.9 CRITICAL)
CVE-2026-46517 — LMDeploy is a toolkit for compressing, deploying, and serving large language models (7.8 HIGH)
CVE-2026-46432 — LMDeploy is a toolkit for compressing, deploying, and serving large language models (7.8 HIGH)
CVE-2026-47292 — Inclusion of functionality from untrusted control sphere in Visual Studio Code allows an unauthorized attacker to elevate privileges locally (7.8 HIGH)