Cyber Resilience

CVE-2026-41242

CriticalPublic PoCRCEUpdated

Published: 18 April 2026

Published
18 April 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 9.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0057 43.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-41242 is a critical-severity Code Injection (CWE-94) vulnerability in Protobufjs Project Protobufjs. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-41242 is a code injection vulnerability (CWE-94) in the protobufjs library, which compiles Protocol Buffers (protobuf) definitions into JavaScript functions. Versions prior to 8.0.1 and 7.5.5 are affected, allowing attackers to inject arbitrary code into the "type" fields of protobuf definitions. This code executes during object decoding when using the compromised definition, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Remote attackers without authentication or user interaction can exploit this by supplying malicious protobuf definitions to applications using vulnerable protobufjs for decoding. Successful exploitation leads to arbitrary code execution on the target system, potentially resulting in full compromise with high confidentiality, integrity, and availability impacts.

Mitigation requires upgrading to protobufjs version 8.0.1 or 7.5.5, as detailed in the project's security advisory (GHSA-xq3m-2v4x-88gg) and corresponding release notes. Relevant patches are available in commits 535df444ac060243722ac5d672db205e5c531d75 and ff7b2afef8754837cc6dc64c864cd111ab477956.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and…

more

7.5.5 patch the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Code injection in protobufjs enables remote supply of malicious definitions to public-facing apps for RCE (T1190) with direct arbitrary JavaScript execution during decoding (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-44291Same product: Protobufjs Project Protobufjs
CVE-2026-44293Same product: Protobufjs Project Protobufjs
CVE-2026-44290Same product: Protobufjs Project Protobufjs
CVE-2026-45740Same product: Protobufjs Project Protobufjs
CVE-2026-44289Same product: Protobufjs Project Protobufjs
CVE-2026-44295Same vendor: Protobufjs Project
CVE-2025-26260Shared CWE-94
CVE-2026-26954Shared CWE-94
CVE-2026-41507Shared CWE-94
CVE-2025-12735Shared CWE-94

Affected Assets

protobufjs project
protobufjs
8.0.0 · ≤ 7.5.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventdetect

Directly requires identification, reporting, and timely remediation of known flaws like CVE-2026-41242 by patching vulnerable protobufjs versions.

detect

Mandates vulnerability scanning to detect presence of vulnerable protobufjs library versions affected by CVE-2026-41242.

detect

Maintains inventory of system components, enabling identification of protobufjs usage and vulnerable instances targeted by CVE-2026-41242.

References