CVE-2026-44293
Severity CVSS v4.0:
HIGH
Type:
CWE-94
Code Injection
Publication date:
13/05/2026
Last modified:
10/07/2026
Description
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default value for a bytes field could cause attacker-controlled code to be emitted into the generated conversion function. This vulnerability is fixed in 7.5.6 and 8.0.2.
Impact
Base Score 4.0
7.70
Severity 4.0
HIGH
Base Score 3.x
8.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:protobufjs_project:protobufjs:*:*:*:*:*:node.js:*:* | 7.5.6 (excluding) | |
| cpe:2.3:a:protobufjs_project:protobufjs:*:*:*:*:*:node.js:*:* | 8.0.0 (including) | 8.0.2 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-66ff-xgx4-vchm
- https://access.redhat.com/errata/RHSA-2026:26090
- https://access.redhat.com/errata/RHSA-2026:26234
- https://access.redhat.com/errata/RHSA-2026:29795
- https://access.redhat.com/errata/RHSA-2026:34160
- https://access.redhat.com/errata/RHSA-2026:34374
- https://access.redhat.com/errata/RHSA-2026:37385
- https://access.redhat.com/security/cve/CVE-2026-44293
- https://bugzilla.redhat.com/show_bug.cgi?id=2477104
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44293.json



