CVE-2026-44292

Source
https://cve.org/CVERecord?id=CVE-2026-44292
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44292.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-44292
Aliases
Downstream
Related
Published
2026-05-13T14:42:55.155Z
Modified
2026-07-15T01:48:52.407167852Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
protobufjs: Prototype injection in generated message constructors
Details

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the proto key. If an application constructed a message from an attacker-controlled plain object, an own enumerable proto property could alter the prototype of that individual message instance. This vulnerability is fixed in 7.5.6 and 8.0.2.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44292.json",
    "cwe_ids": [
        "CWE-1321"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/protobufjs/protobuf.js

Affected ranges

Type
GIT
Repo
https://github.com/protobufjs/protobuf.js
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Introduced
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "7.5.6"
        },
        {
            "introduced": "8.0.0"
        },
        {
            "fixed": "8.0.2"
        }
    ],
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:protobufjs_project:protobufjs:*:*:*:*:*:node.js:*:*"
}

Affected versions

6.*
6.0.0
6.0.1
6.0.2
6.1.0
6.1.1
6.2.0
6.2.1
6.3.0
6.3.1
6.4.0
6.4.1
6.4.2
6.4.3
6.4.4
6.4.5
6.4.6
6.5.0
6.5.1
6.5.2
6.5.3
6.6.0
6.6.1
6.6.2
6.6.3
6.6.4
6.6.5
6.7.0
6.7.1
6.7.2
6.7.3
6.8.0
6.8.1
6.8.2
6.8.3
6.8.4
6.8.5
6.8.6
6.8.7
6.8.8
protobufjs-cli-v1.*
protobufjs-cli-v1.0.0
protobufjs-cli-v1.0.1
protobufjs-cli-v1.0.2
protobufjs-cli-v1.1.0
protobufjs-cli-v1.1.1
protobufjs-cli-v1.1.2
protobufjs-cli-v1.1.3
protobufjs-cli-v1.1.4
protobufjs-cli-v1.2.0
protobufjs-cli-v2.*
protobufjs-cli-v2.0.0
protobufjs-cli-v2.0.1
protobufjs-v7.*
protobufjs-v7.0.0
protobufjs-v7.1.0
protobufjs-v7.1.1
protobufjs-v7.1.2
protobufjs-v7.2.0
protobufjs-v7.2.1
protobufjs-v7.2.2
protobufjs-v7.2.3
protobufjs-v7.2.4
protobufjs-v7.2.5
protobufjs-v7.2.6
protobufjs-v7.3.0
protobufjs-v7.3.1
protobufjs-v7.3.2
protobufjs-v7.3.3
protobufjs-v7.4.0
protobufjs-v7.5.0
protobufjs-v7.5.1
protobufjs-v7.5.2
protobufjs-v7.5.3
protobufjs-v7.5.4
protobufjs-v7.5.5
protobufjs-v8.*
protobufjs-v8.0.0
protobufjs-v8.0.1
v6.*
v6.10.0
v6.10.0-beta.0
v6.10.0-beta.1
v6.10.0-beta.2
v6.10.1
v6.10.1-beta.0
v6.10.2
v6.9.0
v6.9.0-beta.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44292.json"