Cyber Resilience

CVE-2026-44290

High

Published: 13 May 2026

Published
13 May 2026
Modified
14 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0014 34.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-44290 is a high-severity Prototype Pollution (CWE-1321) vulnerability in Protobufjs Project Protobufjs. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 34.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf schema or JSON descriptor could cause option handling to…

more

write to properties on global JavaScript constructors, corrupting process-wide built-in functionality. This vulnerability is fixed in 7.5.6 and 8.0.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Prototype pollution in JS library directly enables corruption of global constructors/builtins, facilitating JavaScript command/script execution or flow hijacking.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-44293Same product: Protobufjs Project Protobufjs
CVE-2026-44291Same product: Protobufjs Project Protobufjs
CVE-2026-41242Same product: Protobufjs Project Protobufjs
CVE-2026-45740Same product: Protobufjs Project Protobufjs
CVE-2026-44289Same product: Protobufjs Project Protobufjs
CVE-2026-44295Same vendor: Protobufjs Project
CVE-2026-42290Same vendor: Protobufjs Project
CVE-2026-33228Shared CWE-1321
CVE-2026-26021Shared CWE-1321
CVE-2026-25754Shared CWE-1321

Affected Assets

protobufjs project
protobufjs
≤ 7.5.6 · 8.0.0 — 8.0.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References