Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

14 advisories

Loading
protobuf.js is Vulnerable to OS Command Injection in the CLI High
CVE-2026-42290 was published for protobufjs-cli (npm) May 12, 2026
0x5t4l1n Credited to 0x5t4l1n and dcodeIO dcodeIO dcodeIO
protobufjs has overlong UTF-8 decoding Moderate
CVE-2026-44288 was published for @protobufjs/utf8 (npm) May 12, 2026
Xvush Credited to Xvush and dcodeIO dcodeIO dcodeIO
protobuf.js: Denial of service through unbounded protobuf recursion High
CVE-2026-44289 was published for protobufjs (npm) May 12, 2026
peaktwilight Credited to peaktwilight, VladimirEliTokarev, AKiileX, tndud042713, dcodeIO, and alexander-fenster VladimirEliTokarev VladimirEliTokarev
AKiileX AKiileX tndud042713 tndud042713 dcodeIO dcodeIO alexander-fenster alexander-fenster
protobuf.js: Process-wide denial of service through unsafe option paths High
CVE-2026-44290 was published for protobufjs (npm) May 12, 2026
AKiileX Credited to AKiileX, VladimirEliTokarev, and dcodeIO VladimirEliTokarev VladimirEliTokarev
dcodeIO dcodeIO
protobuf.js: Code generation gadget after prototype pollution High
CVE-2026-44291 was published for protobufjs (npm) May 12, 2026
VladimirEliTokarev Credited to VladimirEliTokarev and dcodeIO dcodeIO dcodeIO
protobuf.js: Prototype injection in generated message constructors Moderate
CVE-2026-44292 was published for protobufjs (npm) May 12, 2026
VladimirEliTokarev Credited to VladimirEliTokarev and dcodeIO dcodeIO dcodeIO
protobuf.js: Code injection through bytes field defaults in generated toObject code High
CVE-2026-44293 was published for protobufjs (npm) May 12, 2026
mbaraniak-exodus Credited to mbaraniak-exodus and dcodeIO dcodeIO dcodeIO
protobuf.js: Denial of service from crafted field names in generated code Moderate
CVE-2026-44294 was published for protobufjs (npm) May 12, 2026
VladimirEliTokarev Credited to VladimirEliTokarev and dcodeIO dcodeIO dcodeIO
protobuf.js: Code injection in pbjs static output from crafted schema names High
CVE-2026-44295 was published for protobufjs-cli (npm) May 12, 2026
VladimirEliTokarev Credited to VladimirEliTokarev and dcodeIO dcodeIO dcodeIO
protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion Moderate
CVE-2026-45740 was published for protobufjs (npm) May 19, 2026
fasrm Credited to fasrm and dcodeIO dcodeIO dcodeIO
protobufjs : Schema-derived names can shadow runtime-significant properties Moderate
CVE-2026-54269 was published for protobufjs (npm) Jun 15, 2026
acorn421 Credited to acorn421 and dcodeIO dcodeIO dcodeIO
protobufjs: Denial of service through unbounded Any expansion during JSON conversion High
CVE-2026-48712 was published for protobufjs (npm) Jun 15, 2026
EchoSkorJjj Credited to EchoSkorJjj, yueyueL, and dcodeIO yueyueL yueyueL
dcodeIO dcodeIO
protobufjs: Memory amplification from preserved unknown fields in binary decode Moderate
CVE-2026-54270 was published for protobufjs (npm) Jun 15, 2026
sondt99 Credited to sondt99 and dcodeIO dcodeIO dcodeIO
protobufjs-cli: Code injection in pbjs static output from crafted JSON descriptor names High
CVE-2026-54271 was published for protobufjs-cli (npm) Jun 15, 2026
JacobBrackett Credited to JacobBrackett and dcodeIO dcodeIO dcodeIO
ProTip! Advisories are also available from the GraphQL API