Zurück zur CVE-Übersicht
CVE-2026-44293
HIGH(8.8)CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Risk Signal Score22/100 — NIEDRIG
- CVSS 8.8 — Hoch
EPSS-Score
0%
Exploit-Wahrscheinlichkeit (30 Tage)
CVSS Score
8.8
Technische Schwere
Beschreibung
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default value for a bytes field could cause attacker-controlled code to be emitted into the generated conversion function. This vulnerability is fixed in 7.5.6 and 8.0.2.
GitHub Advisories
GHSA-66ff-xgx4-vchmHIGH
protobuf.js: Code injection through bytes field defaults in generated toObject code
npm/protobufjs→ 7.5.6
GitHub AdvisoryReferenzen
- https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-66ff-xgx4-vch...
- https://access.redhat.com/errata/RHSA-2026:26090
- https://access.redhat.com/errata/RHSA-2026:26234
- https://access.redhat.com/errata/RHSA-2026:29795
- https://access.redhat.com/errata/RHSA-2026:34160
- https://access.redhat.com/errata/RHSA-2026:34374
- https://access.redhat.com/security/cve/CVE-2026-44293
- https://bugzilla.redhat.com/show_bug.cgi?id=2477104
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44293.json