cbcvebase.
CVE-2026-41242
published 2026-04-18

CVE-2026-41242: protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.74%
50.1th percentile
protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.

Affected

42 ranges· showing 25
VendorProductVersion rangeFixed in
ansible-automation-platformautomation-portal
apicurioapicurio-studio-ui-rhel8
grafanagrafana
openshift-pipelinespipelines-console-plugin-rhel8
openshift-pipelinespipelines-console-plugin-rhel9
openshift4ose-console
openshift4ose-console-rhel9
protobufjsprotobuf.js< 7.5.57.5.5
protobufjsprotobuf.js
protobufjs_projectprotobufjs< 7.5.57.5.5
protobufjs_projectprotobufjs
rhdhbackstage-community-plugin-catalog-backend-module-scaffolder-relation-processor
rhdhrhdh-hub-rhel9
rhelai3bootc-cuda-rhel9
rhelai3bootc-rocm-rhel9
rhelai3disk-image-cuda-rhel9
rhoaiodh-dashboard-rhel8
rhoaiodh-dashboard-rhel9
rhoaiodh-kf-notebook-controller-rhel8
rhoaiodh-mlflow-rhel9
rhoaiodh-mod-arch-gen-ai-rhel9
rhoaiodh-mod-arch-maas-rhel9
rhoaiodh-mod-arch-model-registry-rhel9
rhoaiodh-notebook-controller-rhel8
rhoaiodh-pipeline-runtime-datascience-cpu-py312-rhel9

Detection & IOCsextracted from sources · hover to see the quote

  • Arbitrary code injection occurs via the 'type' fields of protobuf definitions, which executes during object decoding. Monitor for unexpected or malformed 'type' field values in protobuf definition files or payloads being processed by protobufjs.
  • Code execution is triggered during the object decoding process in protobufjs. Alert on anomalous process spawning or code execution originating from Node.js/JavaScript runtimes processing protobuf definitions.
  • ·Only protobufjs versions prior to 8.0.1 and 7.5.5 are vulnerable. Versions 8.0.1 and 7.5.5 patch the issue. Confirm the installed version before triaging affected systems.
  • ·A wide range of Red Hat products are affected, including OpenShift Pipelines, OpenShift Container Platform 4, Red Hat Developer Hub, Red Hat OpenShift AI (RHOAI), Grafana on RHEL 8/9, Podman Desktop, and others. Scope detection and patching efforts accordingly.
  • ·At least one RHOAI package (rhoai/odh-mlflow-rhel9) is explicitly listed as NOT affected, indicating not all components within a product suite are vulnerable. Verify per-package status before applying blanket mitigations.
  • ·Community-tracked packages (qt5-qtwebengine, qt6-qtwebengine, cockatrice) may also be affected via bundled protobufjs. Package maintainers must independently verify if the flaw affects their package before updating.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat9.4CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.