https://vulnerability.circl.lu Contains only the most 10 recent sightings. http://www.rssboard.org/rss-specification python-feedgen en Sat, 06 Jun 2026 23:02:01 +0000 https://vulnerability.circl.lu/sighting/37f50c74-014b-4f8f-b2d3-e7ab397c6e37/export {"uuid": "37f50c74-014b-4f8f-b2d3-e7ab397c6e37", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-41242", "type": "published-proof-of-concept", "source": "Telegram/x12vbbUj9eUCE8CmwEAAyNGNC_B8MsPtTe6lQq2voLeHmZk", "content": "", "creation_timestamp": "2026-04-18T19:15:08.000000Z"} {"uuid": "37f50c74-014b-4f8f-b2d3-e7ab397c6e37", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-41242", "type": "published-proof-of-concept", "source": "Telegram/x12vbbUj9eUCE8CmwEAAyNGNC_B8MsPtTe6lQq2voLeHmZk", "content": "", "creation_timestamp": "2026-04-18T19:15:08.000000Z"} https://vulnerability.circl.lu/sighting/37f50c74-014b-4f8f-b2d3-e7ab397c6e37/export Sat, 18 Apr 2026 19:15:08 +0000 https://vulnerability.circl.lu/sighting/39b65b7a-1d5b-41c9-af1a-8a967e2ac790/export {"uuid": "39b65b7a-1d5b-41c9-af1a-8a967e2ac790", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-41242", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mjs5r3xnbt2i", "content": "", "creation_timestamp": "2026-04-18T19:18:28.454734Z"} {"uuid": "39b65b7a-1d5b-41c9-af1a-8a967e2ac790", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-41242", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mjs5r3xnbt2i", "content": "", "creation_timestamp": "2026-04-18T19:18:28.454734Z"} https://vulnerability.circl.lu/sighting/39b65b7a-1d5b-41c9-af1a-8a967e2ac790/export Sat, 18 Apr 2026 19:18:28 +0000 https://vulnerability.circl.lu/sighting/3d3b2d68-6be2-462e-9fc8-19e3e379f1eb/export {"uuid": "3d3b2d68-6be2-462e-9fc8-19e3e379f1eb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-41242", "type": "seen", "source": "https://infosec.exchange/users/offseq/statuses/116429843971410399", "content": "", "creation_timestamp": "2026-04-19T06:00:30.622170Z"} {"uuid": "3d3b2d68-6be2-462e-9fc8-19e3e379f1eb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-41242", "type": "seen", "source": "https://infosec.exchange/users/offseq/statuses/116429843971410399", "content": "", "creation_timestamp": "2026-04-19T06:00:30.622170Z"} https://vulnerability.circl.lu/sighting/3d3b2d68-6be2-462e-9fc8-19e3e379f1eb/export Sun, 19 Apr 2026 06:00:30 +0000 https://vulnerability.circl.lu/sighting/d6de5554-5290-4610-9e5c-a71a6d2368da/export {"uuid": "d6de5554-5290-4610-9e5c-a71a6d2368da", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-41242", "type": "seen", "source": "https://bsky.app/profile/offseq.bsky.social/post/3mjtbn6tvbe2l", "content": "", "creation_timestamp": "2026-04-19T06:00:32.530303Z"} {"uuid": "d6de5554-5290-4610-9e5c-a71a6d2368da", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-41242", "type": "seen", "source": "https://bsky.app/profile/offseq.bsky.social/post/3mjtbn6tvbe2l", "content": "", "creation_timestamp": "2026-04-19T06:00:32.530303Z"} https://vulnerability.circl.lu/sighting/d6de5554-5290-4610-9e5c-a71a6d2368da/export Sun, 19 Apr 2026 06:00:32 +0000 https://vulnerability.circl.lu/sighting/e5cc0e51-56d7-487d-b77c-8eabbfa53d58/export {"uuid": "e5cc0e51-56d7-487d-b77c-8eabbfa53d58", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-41242", "type": "seen", "source": "https://infosec.exchange/users/vuldb/statuses/116430479808800500", "content": "", "creation_timestamp": "2026-04-19T08:42:12.281436Z"} {"uuid": "e5cc0e51-56d7-487d-b77c-8eabbfa53d58", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-41242", "type": "seen", "source": "https://infosec.exchange/users/vuldb/statuses/116430479808800500", "content": "", "creation_timestamp": "2026-04-19T08:42:12.281436Z"} https://vulnerability.circl.lu/sighting/e5cc0e51-56d7-487d-b77c-8eabbfa53d58/export Sun, 19 Apr 2026 08:42:12 +0000 https://vulnerability.circl.lu/sighting/d3c9aabe-750f-4e9e-8755-e92e8650e263/export {"uuid": "d3c9aabe-750f-4e9e-8755-e92e8650e263", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-41242", "type": "published-proof-of-concept", "source": "https://t.me/bdufstecru/3090", "content": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 \u0434\u043b\u044f \u0440\u0430\u0431\u043e\u0442\u044b \u0441 \u043f\u0440\u043e\u0442\u043e\u043a\u043e\u043b\u043e\u043c Protocol Buffers (Protobuf) protobufjs \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0432\u0435\u0440\u043d\u044b\u043c \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435\u043c \u0433\u0435\u043d\u0435\u0440\u0430\u0446\u0438\u0435\u0439 \u043a\u043e\u0434\u0430. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434\n\nBDU:2026-05548\nCVE-2026-41242\n\n\u0423\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0439 \u0438\u0437 \u0434\u043e\u0432\u0435\u0440\u0435\u043d\u043d\u044b\u0445 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u043e\u0432. \u0412 \u0441\u0432\u044f\u0437\u0438 \u0441\u043e \u0441\u043b\u043e\u0436\u0438\u0432\u0448\u0435\u0439\u0441\u044f \u043e\u0431\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u043e\u0439 \u0438 \u0432\u0432\u0435\u0434\u0435\u043d\u043d\u044b\u043c\u0438 \u0441\u0430\u043d\u043a\u0446\u0438\u044f\u043c\u0438 \u043f\u0440\u043e\u0442\u0438\u0432 \u0420\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u043e\u0439 \u0424\u0435\u0434\u0435\u0440\u0430\u0446\u0438\u0438 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u0435\u0442\u0441\u044f \u0443\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u0442\u044c \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0442\u043e\u043b\u044c\u043a\u043e \u043f\u043e\u0441\u043b\u0435 \u043e\u0446\u0435\u043d\u043a\u0438 \u0432\u0441\u0435\u0445 \u0441\u043e\u043f\u0443\u0442\u0441\u0442\u0432\u0443\u044e\u0449\u0438\u0445 \u0440\u0438\u0441\u043a\u043e\u0432.\n\n\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\nhttps://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5\nhttps://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1", "creation_timestamp": "2026-04-20T14:09:43.000000Z"} {"uuid": "d3c9aabe-750f-4e9e-8755-e92e8650e263", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-41242", "type": "published-proof-of-concept", "source": "https://t.me/bdufstecru/3090", "content": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 \u0434\u043b\u044f \u0440\u0430\u0431\u043e\u0442\u044b \u0441 \u043f\u0440\u043e\u0442\u043e\u043a\u043e\u043b\u043e\u043c Protocol Buffers (Protobuf) protobufjs \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0432\u0435\u0440\u043d\u044b\u043c \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435\u043c \u0433\u0435\u043d\u0435\u0440\u0430\u0446\u0438\u0435\u0439 \u043a\u043e\u0434\u0430. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434\n\nBDU:2026-05548\nCVE-2026-41242\n\n\u0423\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0439 \u0438\u0437 \u0434\u043e\u0432\u0435\u0440\u0435\u043d\u043d\u044b\u0445 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u043e\u0432. \u0412 \u0441\u0432\u044f\u0437\u0438 \u0441\u043e \u0441\u043b\u043e\u0436\u0438\u0432\u0448\u0435\u0439\u0441\u044f \u043e\u0431\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u043e\u0439 \u0438 \u0432\u0432\u0435\u0434\u0435\u043d\u043d\u044b\u043c\u0438 \u0441\u0430\u043d\u043a\u0446\u0438\u044f\u043c\u0438 \u043f\u0440\u043e\u0442\u0438\u0432 \u0420\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u043e\u0439 \u0424\u0435\u0434\u0435\u0440\u0430\u0446\u0438\u0438 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u0435\u0442\u0441\u044f \u0443\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u0442\u044c \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0442\u043e\u043b\u044c\u043a\u043e \u043f\u043e\u0441\u043b\u0435 \u043e\u0446\u0435\u043d\u043a\u0438 \u0432\u0441\u0435\u0445 \u0441\u043e\u043f\u0443\u0442\u0441\u0442\u0432\u0443\u044e\u0449\u0438\u0445 \u0440\u0438\u0441\u043a\u043e\u0432.\n\n\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\nhttps://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5\nhttps://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1", "creation_timestamp": "2026-04-20T14:09:43.000000Z"} https://vulnerability.circl.lu/sighting/d3c9aabe-750f-4e9e-8755-e92e8650e263/export Mon, 20 Apr 2026 14:09:43 +0000 https://vulnerability.circl.lu/sighting/0a71a4ef-6285-4976-9ceb-28189162eff6/export {"uuid": "0a71a4ef-6285-4976-9ceb-28189162eff6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-41242", "type": "seen", "source": "https://bsky.app/profile/securitylab-jp.bsky.social/post/3mjxsw7mm4k2h", "content": "", "creation_timestamp": "2026-04-21T01:20:30.416177Z"} {"uuid": "0a71a4ef-6285-4976-9ceb-28189162eff6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-41242", "type": "seen", "source": "https://bsky.app/profile/securitylab-jp.bsky.social/post/3mjxsw7mm4k2h", "content": "", "creation_timestamp": "2026-04-21T01:20:30.416177Z"} https://vulnerability.circl.lu/sighting/0a71a4ef-6285-4976-9ceb-28189162eff6/export Tue, 21 Apr 2026 01:20:30 +0000 https://vulnerability.circl.lu/sighting/88fedd45-4cf7-4f89-9ae6-f5340187d2ad/export {"uuid": "88fedd45-4cf7-4f89-9ae6-f5340187d2ad", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-41242", "type": "seen", "source": "https://www.acn.gov.it/portale/w/libreria-protobufjs-disponibile-poc-per-lo-sfruttamento-della-cve-2026-41242", "content": "", "creation_timestamp": "2026-04-21T12:57:14.000000Z"} {"uuid": "88fedd45-4cf7-4f89-9ae6-f5340187d2ad", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-41242", "type": "seen", "source": "https://www.acn.gov.it/portale/w/libreria-protobufjs-disponibile-poc-per-lo-sfruttamento-della-cve-2026-41242", "content": "", "creation_timestamp": "2026-04-21T12:57:14.000000Z"} https://vulnerability.circl.lu/sighting/88fedd45-4cf7-4f89-9ae6-f5340187d2ad/export Tue, 21 Apr 2026 12:57:14 +0000 https://vulnerability.circl.lu/sighting/6b18bf11-bb0e-4567-9cbe-af491febccbf/export {"uuid": "6b18bf11-bb0e-4567-9cbe-af491febccbf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-41242", "type": "published-proof-of-concept", "source": "Telegram/R85q5mAF-_-h3phwgiJ0Y2SWWwG84cWRlWRRB1ACIs5b5lM", "content": "", "creation_timestamp": "2026-04-26T21:00:04.000000Z"} {"uuid": "6b18bf11-bb0e-4567-9cbe-af491febccbf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-41242", "type": "published-proof-of-concept", "source": "Telegram/R85q5mAF-_-h3phwgiJ0Y2SWWwG84cWRlWRRB1ACIs5b5lM", "content": "", "creation_timestamp": "2026-04-26T21:00:04.000000Z"} https://vulnerability.circl.lu/sighting/6b18bf11-bb0e-4567-9cbe-af491febccbf/export Sun, 26 Apr 2026 21:00:04 +0000 https://vulnerability.circl.lu/sighting/53d2d58a-fc2c-4645-b32a-7d62aa87c7bd/export {"uuid": "53d2d58a-fc2c-4645-b32a-7d62aa87c7bd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-41242", "type": "seen", "source": "https://gist.github.com/alon710/f442847fd0d81ee05bc55bd2cc39ff9c", "content": "# GHSA-XQ3M-2V4X-88GG: CVE-2026-41242: Remote Code Execution via Dynamic Code Generation in protobufjs\n\n> **CVSS Score:** 9.8\n> **Published:** 2026-04-16\n> **Full Report:** https://cvereports.com/reports/GHSA-XQ3M-2V4X-88GG\n\n## Summary\nCVE-2026-41242 is a critical code injection vulnerability in protobufjs. The library compiles custom serialization functions at runtime using the `Function` constructor. Prior to versions 7.5.5 and 8.0.1, dynamic type names were not sanitized, allowing an attacker to inject arbitrary JavaScript via crafted schema definitions, leading to remote code execution.\n\n## TL;DR\nUnsanitized type names in protobufjs schemas allow attackers to inject and execute arbitrary JavaScript during dynamic code compilation.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-94\n- **Attack Vector**: Network\n- **CVSS v3.1 Score**: 9.8\n- **EPSS Score**: 0.00026\n- **Exploit Status**: PoC\n- **CISA KEV Status**: Not Listed\n- **Impact**: Unauthenticated Remote Code Execution\n\n## Affected Systems\n\n- Node.js applications using protobufjs prior to 7.5.5\n- Node.js applications using protobufjs 8.0.0-experimental\n- **protobufjs**: < 7.5.5 (Fixed in: `7.5.5`)\n- **protobufjs**: >= 8.0.0-experimental < 8.0.1 (Fixed in: `8.0.1`)\n\n## Mitigation\n\n- Upgrade protobufjs to version 7.5.5, 8.0.1 or higher.\n- Apply a runtime monkey patch to sanitize inputs if immediate upgrading is impossible.\n- Block untrusted clients from uploading or modifying protobuf schemas.\n- Utilize WAF rules to detect schema payloads containing JavaScript control characters.\n\n**Remediation Steps:**\n1. Identify all internal services and dependencies using protobufjs.\n2. Update package.json and lockfiles to require protobufjs >= 7.5.5 or >= 8.0.1.\n3. Run npm audit or yarn audit to verify that no vulnerable versions remain in the dependency tree.\n4. Deploy the updated application to production environments.\n\n## References\n\n- [GitHub Advisory: Remote Code Execution in protobufjs](https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg)\n- [Fix Commit (Mainline)](https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75)\n- [Fix Commit (Secondary)](https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956)\n- [Exploit Proof-of-Concept Repository](https://github.com/4chech/CVE-2026-41242)\n- [NVD - CVE-2026-41242](https://nvd.nist.gov/vuln/detail/CVE-2026-41242)\n- [CVE.org Record](https://www.cve.org/CVERecord?id=CVE-2026-41242)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-XQ3M-2V4X-88GG) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-03T11:02:14.000000Z"} {"uuid": "53d2d58a-fc2c-4645-b32a-7d62aa87c7bd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-41242", "type": "seen", "source": "https://gist.github.com/alon710/f442847fd0d81ee05bc55bd2cc39ff9c", "content": "# GHSA-XQ3M-2V4X-88GG: CVE-2026-41242: Remote Code Execution via Dynamic Code Generation in protobufjs\n\n> **CVSS Score:** 9.8\n> **Published:** 2026-04-16\n> **Full Report:** https://cvereports.com/reports/GHSA-XQ3M-2V4X-88GG\n\n## Summary\nCVE-2026-41242 is a critical code injection vulnerability in protobufjs. The library compiles custom serialization functions at runtime using the `Function` constructor. Prior to versions 7.5.5 and 8.0.1, dynamic type names were not sanitized, allowing an attacker to inject arbitrary JavaScript via crafted schema definitions, leading to remote code execution.\n\n## TL;DR\nUnsanitized type names in protobufjs schemas allow attackers to inject and execute arbitrary JavaScript during dynamic code compilation.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-94\n- **Attack Vector**: Network\n- **CVSS v3.1 Score**: 9.8\n- **EPSS Score**: 0.00026\n- **Exploit Status**: PoC\n- **CISA KEV Status**: Not Listed\n- **Impact**: Unauthenticated Remote Code Execution\n\n## Affected Systems\n\n- Node.js applications using protobufjs prior to 7.5.5\n- Node.js applications using protobufjs 8.0.0-experimental\n- **protobufjs**: < 7.5.5 (Fixed in: `7.5.5`)\n- **protobufjs**: >= 8.0.0-experimental < 8.0.1 (Fixed in: `8.0.1`)\n\n## Mitigation\n\n- Upgrade protobufjs to version 7.5.5, 8.0.1 or higher.\n- Apply a runtime monkey patch to sanitize inputs if immediate upgrading is impossible.\n- Block untrusted clients from uploading or modifying protobuf schemas.\n- Utilize WAF rules to detect schema payloads containing JavaScript control characters.\n\n**Remediation Steps:**\n1. Identify all internal services and dependencies using protobufjs.\n2. Update package.json and lockfiles to require protobufjs >= 7.5.5 or >= 8.0.1.\n3. Run npm audit or yarn audit to verify that no vulnerable versions remain in the dependency tree.\n4. Deploy the updated application to production environments.\n\n## References\n\n- [GitHub Advisory: Remote Code Execution in protobufjs](https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg)\n- [Fix Commit (Mainline)](https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75)\n- [Fix Commit (Secondary)](https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956)\n- [Exploit Proof-of-Concept Repository](https://github.com/4chech/CVE-2026-41242)\n- [NVD - CVE-2026-41242](https://nvd.nist.gov/vuln/detail/CVE-2026-41242)\n- [CVE.org Record](https://www.cve.org/CVERecord?id=CVE-2026-41242)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-XQ3M-2V4X-88GG) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-03T11:02:14.000000Z"} https://vulnerability.circl.lu/sighting/53d2d58a-fc2c-4645-b32a-7d62aa87c7bd/export Wed, 03 Jun 2026 11:02:14 +0000