CVE-2026-59876

Source
https://cve.org/CVERecord?id=CVE-2026-59876
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59876.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-59876
Aliases
  • GHSA-jfj6-75fj-8934
Published
2026-07-08T15:31:11.421Z
Modified
2026-07-12T03:54:59.094750736Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
protobufjs: Text Format string map parsing can mutate returned map object prototype
Details

protobufjs compiles protobuf definitions into JavaScript (JS) functions. From 8.2.0 until 8.6.5, the protobufjs Text Format extension parsed string-keyed map entries using ordinary property assignment, allowing a map entry with key proto to change the prototype of the returned map object instead of creating an own map entry in protobufjs/ext/textformat. This issue is fixed in version 8.6.5.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-1321"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59876.json"
}
References

Affected packages

Git / github.com/protobufjs/protobuf.js

Affected ranges

Type
GIT
Repo
https://github.com/protobufjs/protobuf.js
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "8.2.0"
        },
        {
            "fixed": "8.6.5"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

protobufjs-cli-v2.*
protobufjs-cli-v2.2.0
protobufjs-cli-v2.2.1
protobufjs-cli-v2.3.0
protobufjs-cli-v2.4.0
protobufjs-cli-v2.4.1
protobufjs-cli-v2.4.2
protobufjs-cli-v2.5.0
protobufjs-cli-v2.5.1
protobufjs-cli-v2.5.2
protobufjs-cli-v2.5.3
protobufjs-cli-v2.5.4
protobufjs-cli-v2.5.5
protobufjs-v8.*
protobufjs-v8.2.0
protobufjs-v8.2.1
protobufjs-v8.3.0
protobufjs-v8.4.0
protobufjs-v8.4.1
protobufjs-v8.4.2
protobufjs-v8.5.0
protobufjs-v8.6.0
protobufjs-v8.6.1
protobufjs-v8.6.2
protobufjs-v8.6.3
protobufjs-v8.6.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59876.json"