CVE-2026-41242
published 2026-04-18CVE-2026-41242: protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.74%
50.1th percentile
protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.
Affected
42 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform | automation-portal | — | — |
| apicurio | apicurio-studio-ui-rhel8 | — | — |
| grafana | grafana | — | — |
| openshift-pipelines | pipelines-console-plugin-rhel8 | — | — |
| openshift-pipelines | pipelines-console-plugin-rhel9 | — | — |
| openshift4 | ose-console | — | — |
| openshift4 | ose-console-rhel9 | — | — |
| protobufjs | protobuf.js | < 7.5.5 | 7.5.5 |
| protobufjs | protobuf.js | — | — |
| protobufjs_project | protobufjs | < 7.5.5 | 7.5.5 |
| protobufjs_project | protobufjs | — | — |
| rhdh | backstage-community-plugin-catalog-backend-module-scaffolder-relation-processor | — | — |
| rhdh | rhdh-hub-rhel9 | — | — |
| rhelai3 | bootc-cuda-rhel9 | — | — |
| rhelai3 | bootc-rocm-rhel9 | — | — |
| rhelai3 | disk-image-cuda-rhel9 | — | — |
| rhoai | odh-dashboard-rhel8 | — | — |
| rhoai | odh-dashboard-rhel9 | — | — |
| rhoai | odh-kf-notebook-controller-rhel8 | — | — |
| rhoai | odh-mlflow-rhel9 | — | — |
| rhoai | odh-mod-arch-gen-ai-rhel9 | — | — |
| rhoai | odh-mod-arch-maas-rhel9 | — | — |
| rhoai | odh-mod-arch-model-registry-rhel9 | — | — |
| rhoai | odh-notebook-controller-rhel8 | — | — |
| rhoai | odh-pipeline-runtime-datascience-cpu-py312-rhel9 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Arbitrary code injection occurs via the 'type' fields of protobuf definitions, which executes during object decoding. Monitor for unexpected or malformed 'type' field values in protobuf definition files or payloads being processed by protobufjs. ↗
- →Code execution is triggered during the object decoding process in protobufjs. Alert on anomalous process spawning or code execution originating from Node.js/JavaScript runtimes processing protobuf definitions. ↗
- ·Only protobufjs versions prior to 8.0.1 and 7.5.5 are vulnerable. Versions 8.0.1 and 7.5.5 patch the issue. Confirm the installed version before triaging affected systems. ↗
- ·A wide range of Red Hat products are affected, including OpenShift Pipelines, OpenShift Container Platform 4, Red Hat Developer Hub, Red Hat OpenShift AI (RHOAI), Grafana on RHEL 8/9, Podman Desktop, and others. Scope detection and patching efforts accordingly. ↗
- ·At least one RHOAI package (rhoai/odh-mlflow-rhel9) is explicitly listed as NOT affected, indicating not all components within a product suite are vulnerable. Verify per-package status before applying blanket mitigations. ↗
- ·Community-tracked packages (qt5-qtwebengine, qt6-qtwebengine, cockatrice) may also be affected via bundled protobufjs. Package maintainers must independently verify if the flaw affects their package before updating. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat9.4CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
protobufjs protobuf.js up to 7.5.4/8.0.0 Type code injection (GHSA-xq3m-2v4x-88gg / EUVD-2026-23678)
vuldb·2026-04-18·CVSS 9.4
CVE-2026-41242 [CRITICAL] protobufjs protobuf.js up to 7.5.4/8.0.0 Type code injection (GHSA-xq3m-2v4x-88gg / EUVD-2026-23678)
A vulnerability has been found in protobufjs protobuf.js up to 7.5.4/8.0.0 and classified as critical. This vulnerability affects unknown code. This manipulation of the argument Type causes code injection.
This vulnerability is tracked as CVE-2026-41242. The attack is possible to be carried out remotely. No exploit exists.
The affected component should be upgraded.
Red Hat
protobufjs: protobufjs: Arbitrary code execution via injected protobuf definition type fields
vendor_redhat·2026-04-18·CVSS 9.4
CVE-2026-41242 [CRITICAL] CWE-94 protobufjs: protobufjs: Arbitrary code execution via injected protobuf definition type fields
protobufjs: protobufjs: Arbitrary code execution via injected protobuf definition type fields
A flaw was found in protobufjs, a JavaScript (JS) library used for compiling protobuf definitions. A remote attacker with low privileges can exploit this vulnerability by injecting arbitrary code into the "type" fields of protobuf definitions. This malicious code will then execute during the object decoding process, leading to arbitrary code execution and potentially full system compromise.
Package: openshift-pipelines/pipelines-console-plugin-rhel8 (OpenShift Pipelines) - Affected
Package: openshift-pipelines/pipelines-console-plugin-rhel9 (OpenShift Pipelines) - Affected
Package: apicurio/apicurio-studio-ui-rhel8 (Red Hat build of Apicurio Registry 3) - Affected
Package: podman-desktop-maco
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-41242 qt5-qtwebengine: protobufjs: Arbitrary code execution via injected protobuf definition type fields [fedora-all]
bugzilla·2026-04-28·CVSS 9.4
CVE-2026-41242 [CRITICAL] CVE-2026-41242 qt5-qtwebengine: protobufjs: Arbitrary code execution via injected protobuf definition type fields [fedora-all]
CVE-2026-41242 qt5-qtwebengine: protobufjs: Arbitrary code execution via injected protobuf definition type fields [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41242 qt6-qtwebengine: protobufjs: Arbitrary code execution via injected protobuf definition type fields [epel-all]
bugzilla·2026-04-28·CVSS 9.4
CVE-2026-41242 [CRITICAL] CVE-2026-41242 qt6-qtwebengine: protobufjs: Arbitrary code execution via injected protobuf definition type fields [epel-all]
CVE-2026-41242 qt6-qtwebengine: protobufjs: Arbitrary code execution via injected protobuf definition type fields [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41242 onnxruntime: protobufjs: Arbitrary code execution via injected protobuf definition type fields [fedora-all]
bugzilla·2026-04-28·CVSS 9.4
CVE-2026-41242 [CRITICAL] CVE-2026-41242 onnxruntime: protobufjs: Arbitrary code execution via injected protobuf definition type fields [fedora-all]
CVE-2026-41242 onnxruntime: protobufjs: Arbitrary code execution via injected protobuf definition type fields [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41242 cockatrice: protobufjs: Arbitrary code execution via injected protobuf definition type fields [epel-all]
bugzilla·2026-04-28·CVSS 9.4
CVE-2026-41242 [CRITICAL] CVE-2026-41242 cockatrice: protobufjs: Arbitrary code execution via injected protobuf definition type fields [epel-all]
CVE-2026-41242 cockatrice: protobufjs: Arbitrary code execution via injected protobuf definition type fields [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41242 qt5-qtwebengine: protobufjs: Arbitrary code execution via injected protobuf definition type fields [epel-all]
bugzilla·2026-04-27·CVSS 9.4
CVE-2026-41242 [CRITICAL] CVE-2026-41242 qt5-qtwebengine: protobufjs: Arbitrary code execution via injected protobuf definition type fields [epel-all]
CVE-2026-41242 qt5-qtwebengine: protobufjs: Arbitrary code execution via injected protobuf definition type fields [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41242 cockatrice: protobufjs: Arbitrary code execution via injected protobuf definition type fields [fedora-all]
bugzilla·2026-04-27·CVSS 9.4
CVE-2026-41242 [CRITICAL] CVE-2026-41242 cockatrice: protobufjs: Arbitrary code execution via injected protobuf definition type fields [fedora-all]
CVE-2026-41242 cockatrice: protobufjs: Arbitrary code execution via injected protobuf definition type fields [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41242 protobufjs: protobufjs: Arbitrary code execution via injected protobuf definition type fields
bugzilla·2026-04-18·CVSS 9.4
CVE-2026-41242 [CRITICAL] CVE-2026-41242 protobufjs: protobufjs: Arbitrary code execution via injected protobuf definition type fields
CVE-2026-41242 protobufjs: protobufjs: Arbitrary code execution via injected protobuf definition type fields
protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.
Bugzilla
CVE-2025-41242 resteasy: Spring Framework MVC path traversal vulnerability [fedora-42]
bugzilla·2025-08-18·CVSS 5.9
CVE-2025-41242 [MEDIUM] CVE-2025-41242 resteasy: Spring Framework MVC path traversal vulnerability [fedora-42]
CVE-2025-41242 resteasy: Spring Framework MVC path traversal vulnerability [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug r
Hackernews
⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More
blogs_hackernews·2026-04-20
CVE-2026-20184 ⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More
Monday’s recap shows the same pattern in different places. A third-party tool becomes a way in, then leads to internal access. A trusted download path is briefly swapped to deliver malware. Browser extensions act normally while pulling data and running code. Even update channels are used to push payloads. It’s not breaking systems—it’s bending trust.
There’s also a shift in how attacks run. Slower check-ins, multi-stage payloads, andmore code kept in memory. Attackers lean on real tools and normal workflows instead of custom builds. Some cas
https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gghttps://access.redhat.com/errata/RHSA-2026:21338https://access.redhat.com/errata/RHSA-2026:24977https://access.redhat.com/errata/RHSA-2026:26234https://access.redhat.com/security/cve/CVE-2026-41242https://bugzilla.redhat.com/show_bug.cgi?id=2459442https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41242.json
2026-04-18
Published