VYPR
Critical severity9.8NVD Advisory· Published Apr 18, 2026· Updated Apr 23, 2026

CVE-2026-41242

CVE-2026-41242

Description

protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
protobufjsnpm
>= 8.0.0, < 8.0.18.0.1
protobufjsnpm
< 7.5.57.5.5

Affected products

43

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.