CVE-2026-41242

CriticalPublic PoCRCE

Published: 18 April 2026

Published

18 April 2026

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 19.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-41242 is a critical-severity Code Injection (CWE-94) vulnerability in Protobufjs Project Protobufjs. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

preventdetect

Directly requires identification, reporting, and timely remediation of known flaws like CVE-2026-41242 by patching vulnerable protobufjs versions.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Mandates vulnerability scanning to detect presence of vulnerable protobufjs library versions affected by CVE-2026-41242.

CM-8 System Component Inventory partial match

detect

Maintains inventory of system components, enabling identification of protobufjs usage and vulnerable instances targeted by CVE-2026-41242.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.007 JavaScript Execution

Adversaries may abuse various implementations of JavaScript for execution.

attack.mitre.org →

Why these techniques?

Code injection in protobufjs enables remote supply of malicious definitions to public-facing apps for RCE (T1190) with direct arbitrary JavaScript execution during decoding (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and…

7.5.5 patch the issue.

Deeper analysisAI

CVE-2026-41242 is a code injection vulnerability (CWE-94) in the protobufjs library, which compiles Protocol Buffers (protobuf) definitions into JavaScript functions. Versions prior to 8.0.1 and 7.5.5 are affected, allowing attackers to inject arbitrary code into the "type" fields of protobuf definitions. This code executes during object decoding when using the compromised definition, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Remote attackers without authentication or user interaction can exploit this by supplying malicious protobuf definitions to applications using vulnerable protobufjs for decoding. Successful exploitation leads to arbitrary code execution on the target system, potentially resulting in full compromise with high confidentiality, integrity, and availability impacts.

Mitigation requires upgrading to protobufjs version 8.0.1 or 7.5.5, as detailed in the project's security advisory (GHSA-xq3m-2v4x-88gg) and corresponding release notes. Relevant patches are available in commits 535df444ac060243722ac5d672db205e5c531d75 and ff7b2afef8754837cc6dc64c864cd111ab477956.