CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Cvelist•added 2026/05/13 2:42 p.m.•25 views

CVE-2026-44292 protobufjs: Prototype injection in generated message constructors

protobufjs compiles protobuf definitions into JavaScript JS functions. Prior to 7.5.6 and 8.0.2, protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the proto key. If an application constructed a message from an...

5.3CVSS0.00083EPSS

Vulnrichment•added 2026/05/13 2:42 p.m.•3 views

CVE-2026-44292 protobufjs: Prototype injection in generated message constructors

5.3CVSS5.8AI score0.00083EPSS

CVE•added 2026/05/13 2:41 p.m.•11 views

CVE-2026-44290

CVE-2026-44290 affects protobufjs, where certain schema option paths could traverse inherited properties during option processing, potentially corrupting process-wide built-in functionality. This vulnerability exists in versions prior to 7.5.6 and 8.0.2 and can enable a crafted protobuf schema or...

Exploits0References1Affected Software1

ATTACKERKB•added 2026/05/13 2:41 p.m.•4 views

CVE-2026-44290

Exploits0References2Affected Software1

Vulnrichment•added 2026/05/13 2:41 p.m.•2 views

CVE-2026-44290 protobufjs: Process-wide denial of service through unsafe option paths

CNNVD•added 2026/05/13 12:0 a.m.•5 views

protobuf.js 安全漏洞

protobuf.js is an open-source implementation of the Protocol Buffers protocol, written entirely in JavaScript. It supports Node.js and browsers with TypeScript. It’s easy to use, extremely fast, and can be used out of the box through.proto files. Versions prior to 7.5.6 and 8.0.2 of protobuf.js h...

Snyk•added 2026/05/12 3:1 p.m.•4 views

Prototype Pollution

Overview Affected versions of this package are vulnerable to Prototype Pollution in the process of copying enumerable properties from a user-supplied object to a generated message instance without filtering the proto property. An attacker can alter the prototype of individual message instances by...

6.3CVSS6.4AI score0.00083EPSS

Github Security Blog•added 2026/05/12 3:1 p.m.•12 views

protobuf.js: Process-wide denial of service through unsafe option paths

Summary protobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf schema or JSON descriptor could cause option handling to write to properties on global JavaScript constructors, corrupting process-wide built-in...

7.5CVSS6.2AI score0.00104EPSS

Exploits0References5Affected Software1

Snyk•added 2026/05/11 2:53 p.m.•4 views

Improper Validation of Specified Quantity in Input

Overview Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input via the emission of non-finite color values in the content stream. An attacker can cause PDF viewers to reject the content stream, affected page, or entire document by supplying special...

5.3CVSS5.8AI score

OSV•added 2026/05/11 2:53 p.m.•3 views

GHSA-88Q9-CMP2-C2VQ oxidize-pdf: NaN/inf bypass in colour content-stream emission causes PDF rejection (DoS)

Impact oxidize-pdf defines Color as a pub enum with public tuple-struct variants Rgbf64, f64, f64, Grayf64, and Cmykf64, f64, f64, f64. The constructors Color::rgb, Color::gray, and Color::cmyk clamp incoming components to 0.0, 1.0, but because the variants are pub, callers can construct values...

4.3CVSS5.9AI score

Positive Technologies•added 2026/05/08 12:0 a.m.•3 views

PT-2026-39304

Name of the Vulnerable Software and Affected Versions langchain versions prior to 0.3.27 Description LangChain contains runtime code paths that deserialize inputs, outputs, or other application-controlled payloads using overly broad object allowlists, specifically calling load with allowed...

8.2CVSS5.8AI score0.00045EPSS

Exploits0References16

Github Security Blog•added 2026/04/29 3:30 p.m.•5 views

Jenkins Matrix Authorization Strategy Plugin: Unsafe deserialization allows invocation of parameterless constructors

Jenkins Matrix Authorization Strategy Plugin 2.0-beta-1 through 3.2.9 both inclusive invokes parameterless constructors of classes specified in configuration when deserializing inheritance strategies, without restricting the classes that can be instantiated. This can be abused by attackers with...

6.5CVSS5.9AI score0.00085EPSS

Exploits0References3Affected Software1

OSV•added 2026/04/29 3:30 p.m.•0 views

GHSA-JP9R-MMHW-VFF3 Jenkins Matrix Authorization Strategy Plugin: Unsafe deserialization allows invocation of parameterless constructors

6.5CVSS5.9AI score0.00085EPSS

Exploits0References3

OSV•added 2026/03/16 12:0 a.m.•1 views

MAL-2026-3125 Malicious code in transform-regexp-constructors (npm)

The package 'transform-regexp-constructors' is part of the PhantomRaven supply chain attack campaign Wave 3. It uses a Remote Dynamic Dependency RDD technique: the published package appears benign but includes a URL-based dependency in package.json pointing to an attacker-controlled C2 server...

5.5AI score

Snyk•added 2026/03/03 6:42 a.m.•1 views

Malicious Package

Overview typescript-constructors is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packa...

9.8CVSS5.9AI score

OSV•added 2026/03/03 6:42 a.m.•4 views

MAL-2026-1214 Malicious code in typescript-constructors (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 844c09a21118cd1492d232a90aba55fce7e45e4558fe560c47b8a8c347138b89 The package typescript-constructors was found to contain malicious code. Source: ghsa-malware...

5.7AI score

OSSF Malicious Packages•added 2026/03/03 6:42 a.m.•5 views

Malicious code in typescript-constructors (npm)

5.7AI score