Medium severity6.5NVD Advisory· Published Apr 15, 2026· Updated Apr 17, 2026
CVE-2026-5758
CVE-2026-5758
Description
JavaScript is vulnerable to prototype pollution in Mafintosh's protocol-buffers-schema Version 3.6.0, where an attacker may alter the application logic, bypass security checks, cause a DoS or achieve remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
protocol-buffers-schemanpm | < 3.6.1 | 3.6.1 |
Affected products
13- osv-coords12 versionspkg:apk/chainguard/opensearch-dashboards-2-dashboards-mapspkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-mapspkg:apk/chainguard/opensearch-dashboards-3-dashboards-mapspkg:apk/chainguard/opensearch-dashboards-3-fips-dashboards-mapspkg:apk/chainguard/tileserver-glpkg:apk/chainguard/tileserver-gl-fipspkg:apk/chainguard/wazuh-dashboard-dashboards-mapspkg:apk/chainguard/wazuh-dashboard-dashboards-maps-fipspkg:apk/wolfi/opensearch-dashboards-2-dashboards-mapspkg:apk/wolfi/opensearch-dashboards-3-dashboards-mapspkg:apk/wolfi/tileserver-glpkg:npm/protocol-buffers-schema
< 2.19.5-r10+ 11 more
- (no CPE)range: < 2.19.5-r10
- (no CPE)range: < 2.19.5-r10
- (no CPE)range: < 3.6.0-r2
- (no CPE)range: < 3.6.0-r3
- (no CPE)range: < 5.6.0-r1
- (no CPE)range: < 5.6.0-r1
- (no CPE)range: < 4.14.4-r3
- (no CPE)range: < 4.14.4-r2
- (no CPE)range: < 2.19.5-r10
- (no CPE)range: < 3.6.0-r2
- (no CPE)range: < 5.6.0-r1
- (no CPE)range: < 3.6.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-j452-xhg8-qg39ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-5758ghsaADVISORY
- github.com/mafintosh/protocol-buffers-schema/pull/70nvdWEB
- morielharush.github.io/2026/04/12/cve-2026-5758-protocol-buffers-schema-prototype-pollutionghsaWEB
- morielharush.github.io/2026/04/12/cve-2026-5758-protocol-buffers-schema-prototype-pollution/nvd
News mentions
0No linked articles in our index yet.