Improper Check for Unusual or Exceptional Conditions

Overview Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions when handling field names containing control characters in schemas or JSON descriptors. An attacker can cause runtime errors and disrupt application functionality by supplying crafted...

GHSA-2PR8-PHX7-X9H3 protobuf.js: Denial of service from crafted field names in generated code

Summary protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded into generated function bodies. A crafted schema or JSON descriptor could therefore cause generated encode,...

Prototype Pollution

Overview protobufjs is a protocol buffer for JavaScript & TypeScript. Affected versions of this package are vulnerable to Prototype Pollution in the code generation. An attacker who has achieved prototype pollution by a different exploit can execute arbitrary JavaScript code by polluting...

NPM: protobuf.js: Code generation gadget after prototype pollution

NPM: protobuf.js: Code generation gadget after prototype pollution vulnerability discovered by ? in WordPress Npm protobufjs versions = 7.5.5...

Prototype Pollution

Overview Affected versions of this package are vulnerable to Prototype Pollution in the code generation. An attacker who has achieved prototype pollution by a different exploit can execute arbitrary JavaScript code by polluting Object.prototype prior to invoking the affected process. Note: This i...

protobuf.js: Code generation gadget after prototype pollution

Summary protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type...

PT-2026-40541

Name of the Vulnerable Software and Affected Versions protobufjs-cli versions prior to 1.2.1 protobufjs-cli versions prior to 2.0.2 Description Static code generation via pbjs can emit unsafe JavaScript identifiers derived from schema-controlled names. When generating static JavaScript from a...

Application Security Strategies Are Changing as AI-generated Code Floods the SDLC

AI-generated code is changing AppSec workflows, forcing teams to rethink SDLC security, dependency checks, code review, and risk prioritization...

CVE-2026-3120

Improper Control of Generation of Code 'Code Injection' vulnerability in Profelis Information and Consulting Trade and Industry Limited Company SambaBox allows OS Command Injection. This issue affects SambaBox: from 5.1 before 5.3...

CVE-2026-3120 RCE in Profelis Informatics' SambaBox

Improper Control of Generation of Code 'Code Injection' vulnerability in Profelis Information and Consulting Trade and Industry Limited Company SambaBox allows OS Command Injection. This issue affects SambaBox: from 5.1 before 5.3...

SambaBox 代码注入漏洞

SambaBox is a file-sharing server solution developed by SambaBox Inc. Based on Samba, versions 5.1 to 5.3 of SambaBox had a code injection vulnerability. This vulnerability stemmed from improper code generation control, which could lead to OS command injections...

PT-2026-36796

Improper Control of Generation of Code 'Code Injection' vulnerability in Profelis Information and Consulting Trade and Industry Limited Company SambaBox allows OS Command Injection. This issue affects SambaBox: from 5.1 before 5.3...

Astra Linux - уязвимость в thunderbird, firefox

A bug in WebAssembly code generation could potentially lead to a crash. It might have been possible for an attacker to exploit this to execute malicious code. This vulnerability has been fixed in Firefox 135, Firefox ESR 128.7, Thunderbird 128.7, and Thunderbird 135...

CVE-2026-41134

Kiota is an OpenAPI based HTTP Client code generator. Versions prior to 1.31.1 are affected by a code-generation literal injection vulnerability in multiple writer sinks for example: serialization/deserialization keys, path/query parameter mappings, URL template metadata, enum/property metadata,...

CVE-2026-39440

Improper Control of Generation of Code 'Code Injection' vulnerability in Funnelforms LLC FunnelFormsPro allows Remote Code Inclusion.This issue affects FunnelFormsPro: from n/a through 3.8.1...

CVE-2026-41134

Kiota is an OpenAPI based HTTP Client code generator. Versions prior to 1.31.1 are affected by a code-generation literal injection vulnerability in multiple writer sinks for example: serialization/deserialization keys, path/query parameter mappings, URL template metadata, enum/property metadata,...

CVE-2026-41134 Kiota: Code Generation Literal Injection

Kiota is an OpenAPI based HTTP Client code generator. Versions prior to 1.31.1 are affected by a code-generation literal injection vulnerability in multiple writer sinks for example: serialization/deserialization keys, path/query parameter mappings, URL template metadata, enum/property metadata,...

EUVD-2026-25094

Kiota is an OpenAPI based HTTP Client code generator. Versions prior to 1.31.1 are affected by a code-generation literal injection vulnerability in multiple writer sinks for example: serialization/deserialization keys, path/query parameter mappings, URL template metadata, enum/property metadata,...

CVE-2026-41134 Kiota: Code Generation Literal Injection

Kiota is an OpenAPI based HTTP Client code generator. Versions prior to 1.31.1 are affected by a code-generation literal injection vulnerability in multiple writer sinks for example: serialization/deserialization keys, path/query parameter mappings, URL template metadata, enum/property metadata,...

CVE-2026-41134

Kiota is an OpenAPI-based HTTP client code generator. Versions prior to 1.31.1 are affected by a code-generation literal injection vulnerability in multiple writer sinks ( serialization/deserialization keys, path/query parameter mappings, URL template metadata, enum/property metadata, and default...