Skip to main content

Red Hat CVE-2026-41242

| EUVD-2026-23678 CRITICAL
Code Injection (CWE-94)
2026-04-18 GitHub_M GHSA-xq3m-2v4x-88gg
RCE Code Injection Red Hat
9.4
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
PoC Detected
Apr 23, 2026 - 15:26 vuln.today
Public exploit code
Re-analysis Queued
Apr 20, 2026 - 19:07 vuln.today
cvss_changed
Patch released
Apr 18, 2026 - 20:30 nvd
Patch available
Analysis Generated
Apr 18, 2026 - 18:44 vuln.today
EUVD ID Assigned
Apr 18, 2026 - 16:30 euvd
EUVD-2026-23678
Analysis Generated
Apr 18, 2026 - 16:30 vuln.today
CVE Published
Apr 18, 2026 - 16:18 nvd
CRITICAL 9.4

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1,132 npm packages depend on protobufjs (57 direct, 1,076 indirect)

Ecosystem-wide dependent count for version 8.0.0.

DescriptionNVD

protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.

AnalysisAI

Code injection vulnerability in protobufjs (JavaScript protobuf library) allows authenticated attackers to execute arbitrary JavaScript code during protobuf object decoding by injecting malicious payloads into 'type' fields of protobuf definitions. Affects all versions before 7.5.5 and 8.0.1. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Identify all applications and services using protobufjs and document current versions in use. Within 7 days: Upgrade protobufjs to version 7.5.5 or 8.0.1 or later across all development, staging, and production environments; test for compatibility before production deployment. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-9277 HIGH
8.1 May 22

Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr
CVE-2026-9256 HIGH
8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

Share

CVE-2026-41242 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy