Cyber Resilience

CVE-2026-42290

High

Published: 13 May 2026

Published
13 May 2026
Modified
19 May 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0002 6.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42290 is a high-severity OS Command Injection (CWE-78) vulnerability in Protobufjs Project Protobufjs-Cli. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 6.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbts invoked JSDoc by building a shell command string from input file paths and executing it through child_process.exec. File paths containing shell metacharacters could therefore be interpreted…

more

by the shell instead of being passed to JSDoc as plain arguments. This vulnerability is fixed in 1.2.1 and 2.0.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

CWE-78 OS command injection via child_process.exec on untrusted file paths directly enables Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-44295Same product: Protobufjs Project Protobufjs-Cli
CVE-2026-44724Shared CWE-78
CVE-2026-22227Shared CWE-78
CVE-2024-40891Shared CWE-78
CVE-2026-26280Shared CWE-78
CVE-2024-57019Shared CWE-78
CVE-2026-45152Shared CWE-78
CVE-2025-53949Shared CWE-78
CVE-2026-8652Shared CWE-78
CVE-2026-35071Shared CWE-78

Affected Assets

protobufjs project
protobufjs-cli
≤ 1.2.1 · 2.0.0 — 2.0.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References