Package impact
NPM / protobufjs
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-44293 | high | 8.8 | 8.8 | 16d ago | protobuf.js: Code injection through bytes field defaults in generated toObject code | |||
| CVE-2026-44291 | high | 8.1 | 8.1 | 16d ago | protobuf.js: Code generation gadget after prototype pollution | |||
| CVE-2026-45740 | high | 7.5 | 7.5 | 16d ago | protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion | |||
| CVE-2026-44290 | high | 7.5 | 7.5 | 16d ago | protobuf.js: Process-wide denial of service through unsafe option paths | |||
| CVE-2026-44289 | high | 7.5 | 7.5 | 16d ago | protobuf.js: Denial of service through unbounded protobuf recursion | |||
| CVE-2026-44294 | medium | 5.3 | 5.3 | 16d ago | protobuf.js: Denial of service from crafted field names in generated code | |||
| CVE-2026-44292 | medium | 5.3 | 5.3 | 16d ago | protobuf.js: Prototype injection in generated message constructors | |||
| CVE-2026-44288 | medium | 5.3 | 5.3 | 16d ago | protobufjs has overlong UTF-8 decoding |