CVE-2026-54270

protobufjs compiles protobuf definitions into JavaScript JS functions. From 8.2.0 to 8.4.2, protobufjs preserved unknown wire elements in message.$unknowns and did not provide a decode-time option to discard unknown fields before retaining them. A crafted protobuf payload containing many unknown...

CVE-2026-54270

CVE-2026-54270 concerns protobufjs, where versions 8.2.0–8.4.2 preserved unknown wire elements in message.$unknowns during binary decode and lacked a decode-time option to discard them. This could allow crafted protobuf payloads with many unknown fields to cause decoded messages to retain memory ...

GHSA-94RC-8X27-4472 protobufjs: Memory amplification from preserved unknown fields in binary decode

Summary protobufjs 8.2.0 added support for preserving unknown fields encountered during binary decode. Affected versions preserved unknown wire elements in message.$unknowns and did not provide a decode-time option to discard unknown fields before retaining them. A crafted protobuf payload...

EUVD-2026-36566

ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of sanitize-html prior to 2.17.4 can turn attacker-controlled content inside a disallowed xmp element into live HTML or...