CVE-2026-54270
CVE-2026-54270 concerns protobufjs, where versions 8.2.0–8.4.2 preserved unknown wire elements in message.$unknowns during binary decode and lacked a decode-time option to discard them. This could allow crafted protobuf payloads with many unknown fields to cause decoded messages to retain memory ...