What is the CVSS score of CVE-2026-44288?

CVE-2026-44288 has a CVSS 3.1 base score of 5.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-44288?

Yes, a patch is available for CVE-2026-44288. Update the affected software to the latest version immediately.

protobufjs CVE-2026-44288

MEDIUM

Improper Handling of Unicode Encoding (CWE-176)

2026-05-12 https://github.com/protobufjs/protobuf.js

GHSA-q6x5-8v7m-xcrf

Information Disclosure Node.js Canonical

5.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Lifecycle Timeline

Source Code Evidence Fetched

May 12, 2026 - 15:33 vuln.today

Analysis Generated

May 12, 2026 - 15:33 vuln.today

CVE Published

May 12, 2026 - 15:00 nvd

MEDIUM 5.3

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

73,098 npm packages depend on @protobufjs/utf8 (2,386 direct, 70,717 indirect)
1,132 npm packages depend on protobufjs (57 direct, 1,076 indirect)

Ecosystem-wide dependent count for version 1.1.1 and other introduced versions.

DescriptionNVD

Summary

protobufjs includes a minimal UTF-8 decoder used in non-Node and fallback decoding paths. The affected decoder accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them.

The issue concerns overlong encodings and code points outside the Unicode range. protobufjs may still accept some non-strict UTF-8 input for compatibility, so applications should not rely on protobufjs as a general-purpose strict UTF-8 validator.

Impact

An attacker who can provide protobuf binary data decoded through the affected UTF-8 path may be able to bypass application-level checks that inspect raw bytes before protobuf string decoding. For example, bytes that do not contain certain ASCII characters could decode to strings containing those characters.

The practical impact depends on downstream application validation and how decoded strings are used. Node.js Buffer-backed decoding paths are not directly affected when they use Node's native UTF-8 decoding.

Preconditions

The application must decode protobuf binary data influenced by an attacker.
The affected protobuf string field must be decoded through protobufjs's minimal UTF-8 decoder rather than a native UTF-8 decoder.
The application must rely on byte-level filtering or validation before protobuf string decoding.
The decoded string must then be used in a security-sensitive context.

Workarounds

Avoid relying only on byte-level filtering before protobuf string decoding with affected versions. Validate decoded strings at the point where they are used, and prefer runtime paths that use native UTF-8 decoding where necessary.

AnalysisAI

protobufjs versions 7.5.5 and earlier, and 8.0.0-8.0.1 accept overlong UTF-8 byte sequences in the minimal UTF-8 decoder used by non-Node and fallback decoding paths, allowing attackers to bypass byte-level filtering and decode strings containing characters that were not present in the raw protobuf binary input. This integrity issue affects applications that rely on pre-decoding byte validation before using protobuf strings in security-sensitive contexts. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory