What is the CVSS score of CVE-2026-42290?

CVE-2026-42290 has a CVSS 3.1 base score of 7.8 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of protobufjs-cli are affected by CVE-2026-42290?

protobufjs-cli versions 1.2.0 and earlier, and 2.0.0-2.0.1, contain a command injection vulnerability in the pbts tool that permits arbitrary shell command execution when processing malicious file…. A patch is available.

protobufjs-cli CVE-2026-42290

HIGH

OS Command Injection (CWE-78)

2026-05-12 https://github.com/protobufjs/protobuf.js

GHSA-f84p-cvgm-xgjj

Command Injection

7.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Source Code Evidence Fetched

May 12, 2026 - 15:32 vuln.today

Analysis Generated

May 12, 2026 - 15:32 vuln.today

CVE Published

May 12, 2026 - 14:59 nvd

HIGH 7.8

DescriptionNVD

Summary

pbts invoked JSDoc by building a shell command string from input file paths and executing it through child_process.exec. File paths containing shell metacharacters could therefore be interpreted by the shell instead of being passed to JSDoc as plain arguments.

Impact

An attacker who can control file names or paths passed to pbts may be able to execute arbitrary shell commands with the privileges of the process running pbts.

This affects the protobufjs CLI tooling path. The protobufjs runtime APIs for encoding, decoding, parsing, and loading protobuf messages are not directly affected by this issue.

Preconditions

The application or user must invoke pbts on file paths influenced by an attacker.
The attacker must be able to supply or create a path containing shell-significant characters.
The vulnerable pbts version must execute the generated JSDoc command through a shell.

Workarounds

Do not run affected versions of pbts on attacker-controlled file names or paths. If this cannot be avoided, sanitize or rename input files before invoking pbts, or run the CLI in an isolated environment with minimal privileges.

AnalysisAI

Command injection in protobufjs-cli pbts tool allows arbitrary shell command execution when processing file paths with shell metacharacters. The pbts utility builds JSDoc commands by concatenating unsanitized file paths into shell strings executed via child_process.exec. …

RemediationAI

Within 24 hours: Identify all systems running protobufjs-cli and document current versions via npm list or package.json review. Within 7 days: Upgrade protobufjs-cli to version 1.2.1 (for v1.x users) or 2.0.2 (for v2.x users) across all development and CI/CD environments. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-42290 vulnerability details – vuln.today

Back

protobufjs-cli CVE-2026-42290

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Summary

Impact

Preconditions

Workarounds

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code