24 matches found
CVE-2026-54271
The CVE-2026-54271 entry concerns protobufjs-cli (pbjs) static code generation, where insecure handling of pre-parsed JSON descriptors could lead to attacker-controlled JavaScript in generated output. Concrete details across connected sources show that protobufjs-cli versions prior to the fixed r...
protobufjs-cli: Code injection in pbjs static output from crafted JSON descriptor names
Summary A previous fix for unsafe name handling in pbjs static / static-module code generation was incomplete. Affected versions of protobufjs-cli could still emit unsafe JavaScript references when generating static output from crafted JSON descriptor input. The common case of parsing schemas fro...
Arbitrary Code Injection
Overview protobufjs-cli is a Translates between file formats and generates static code as well as TypeScript definitions. Affected versions of this package are vulnerable to Arbitrary Code Injection via the pbjs static code generation. An attacker can execute arbitrary code by providing crafted...
NPM: protobufjs-cli: Code injection in pbjs static output from crafted JSON descriptor names
NPM: protobufjs-cli: Code injection in pbjs static output from crafted JSON descriptor names vulnerability discovered by ? in WordPress Npm protobufjs-cli versions = 1.3.1...
NPM: protobufjs : Schema-derived names can shadow runtime-significant properties
NPM: protobufjs : Schema-derived names can shadow runtime-significant properties vulnerability discovered by ? in WordPress Npm protobufjs-cli versions = 1.3.2...
Improper Check for Unusual or Exceptional Conditions
Overview protobufjs-cli is a Translates between file formats and generates static code as well as TypeScript definitions. Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions in the schema-derived names that collide with runtime-significant...
CVE-2026-42290
protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbts invoked JSDoc by building a shell command string from input file paths and executing it through childprocess.exec. File paths containing shell metacharacters could therefore be interpreted by the shell inste...
CVE-2026-44295
protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbjs static code generation could emit unsafe JavaScript identifiers derived from schema-controlled names. When generating static JavaScript from a crafted schema or JSON descriptor, certain namespace, enum,...
CVE-2026-42290
protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbts invoked JSDoc by building a shell command string from input file paths and executing it through childprocess.exec. File paths containing shell metacharacters could therefore be interpreted by the shell inste...
CVE-2026-44295
protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbjs static code generation could emit unsafe JavaScript identifiers derived from schema-controlled names. When generating static JavaScript from a crafted schema or JSON descriptor, certain namespace, enum,...
CVE-2026-44295 protobufjs-cli: Code injection in pbjs static output from crafted schema names
protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbjs static code generation could emit unsafe JavaScript identifiers derived from schema-controlled names. When generating static JavaScript from a crafted schema or JSON descriptor, certain namespace, enum,...
CVE-2026-42290 protobufjs-cli: OS Command Injection
protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbts invoked JSDoc by building a shell command string from input file paths and executing it through childprocess.exec. File paths containing shell metacharacters could therefore be interpreted by the shell inste...
CVE-2026-42290
Summary: The vulnerability affects protobufjs-cli’s pbts command. In versions before 1.2.1 and 2.0.2, pbts builds a shell command string from input file paths and runs it via child_process.exec, allowing file paths containing shell metacharacters to be interpreted by the shell. This can enable OS...
10minions-engine (>=0.0.1 <=0.0.4), @1amageek/document-propagator (>=0.10.1 <=1.0.0) +1535 more potentially affected by CVE-2026-44295 via protobufjs-cli (>=1.0.0 <=1.1.3)
protobufjs-cli NPM version =1.0.0, =0.0.1, =0.10.1, =1.1.0, =0.4.0, =1.22.0, =6.2.36, =1.0.0, =1.8.0, =0.0.0-beta.0, =1.0.0, =1.0.1, =3.1.0 and more Source cves: CVE-2026-44295 Source advisory: SNYK:JS-PROTOBUFJSCLI-16643441...
Arbitrary Code Injection
Overview protobufjs-cli is a Translates between file formats and generates static code as well as TypeScript definitions. Affected versions of this package are vulnerable to Arbitrary Code Injection via the pbjs static code generation. An attacker can execute arbitrary code by providing crafted...
@forwardimpact/libcodegen (>=0.1.47 <=0.1.52) potentially affected by CVE-2026-44295 via protobufjs-cli (=2.0.1)
protobufjs-cli NPM version =2.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on protobufjs-cli and may be impacted: - @forwardimpact/libcodegen =0.1.47, =0.1.52 Source cves: CVE-2026-44295 Source advisory: SNYK:JS-PROTOBUFJSCLI-16643441...
@forwardimpact/libcodegen (>=0.1.47 <=0.1.52) potentially affected by CVE-2026-44295 via protobufjs-cli (=2.0.1)
protobufjs-cli NPM version =2.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on protobufjs-cli and may be impacted: - @forwardimpact/libcodegen =0.1.47, =0.1.52 Source cves: CVE-2026-44295 Source advisory: OSV:GHSA-6R35-46G8-JCW9...
Uncontrolled Recursion
Overview protobufjs-cli is a Translates between file formats and generates static code as well as TypeScript definitions. Affected versions of this package are vulnerable to Uncontrolled Recursion through unbounded recursion when decoding nested message fields. An attacker can exhaust the call...
10minions-engine (>=0.0.1 <=0.0.4), @1amageek/document-propagator (>=0.10.1 <=1.0.0) +1535 more potentially affected by CVE-2026-44289 via protobufjs-cli (>=1.0.0 <=1.1.3)
protobufjs-cli NPM version =1.0.0, =0.0.1, =0.10.1, =1.1.0, =0.4.0, =1.22.0, =6.2.36, =1.0.0, =1.8.0, =0.0.0-beta.0, =1.0.0, =1.0.1, =3.1.0 and more Source cves: CVE-2026-44289 Source advisory: SNYK:JS-PROTOBUFJSCLI-16643263...
@forwardimpact/libcodegen (>=0.1.47 <=0.1.52) potentially affected by CVE-2026-44289 via protobufjs-cli (=2.0.1)
protobufjs-cli NPM version =2.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on protobufjs-cli and may be impacted: - @forwardimpact/libcodegen =0.1.47, =0.1.52 Source cves: CVE-2026-44289 Source advisory: SNYK:JS-PROTOBUFJSCLI-16643263...