CVE-2026-41242Code Injection in Protobuf.js

CWE-94Code Injection11 documents5 sources
Severity
9.4CRITICALNVD
EPSS
0.1%
top 81.11%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
39
Protobufjs Protobuf.jsAnsible-automation-platform Automation-portalApicurio Apicurio-studio-ui-rhel8+36 more
Timeline
PublishedApr 18
Latest updateApr 28

Description

protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Affected Packages39 packages

CVEListV5protobufjs/protobuf.js< 7.5.5+1
Red Hatgrafana/grafana

🔴Vulnerability Details

1
VulDB
protobufjs protobuf.js up to 7.5.4/8.0.0 Type code injection (GHSA-xq3m-2v4x-88gg / EUVD-2026-23678)2026-04-18

📋Vendor Advisories

1
Red Hat
protobufjs: protobufjs: Arbitrary code execution via injected protobuf definition type fields2026-04-18

🕵️Threat Intelligence

1
Hackernews
⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More2026-04-20

💬Community

7
Bugzilla
CVE-2026-41242 qt5-qtwebengine: protobufjs: Arbitrary code execution via injected protobuf definition type fields [fedora-all]2026-04-28
Bugzilla
CVE-2026-41242 qt6-qtwebengine: protobufjs: Arbitrary code execution via injected protobuf definition type fields [epel-all]2026-04-28
Bugzilla
CVE-2026-41242 onnxruntime: protobufjs: Arbitrary code execution via injected protobuf definition type fields [fedora-all]2026-04-28
Bugzilla
CVE-2026-41242 cockatrice: protobufjs: Arbitrary code execution via injected protobuf definition type fields [epel-all]2026-04-28
Bugzilla
CVE-2026-41242 qt5-qtwebengine: protobufjs: Arbitrary code execution via injected protobuf definition type fields [epel-all]2026-04-27