What is the CVSS score of CVE-2026-44291?

CVE-2026-44291 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of protobuf.js are affected by CVE-2026-44291?

CVE-2026-44291 affects protobuf.js libraries used for data serialization in applications, creating a remote code execution risk through prototype pollution chains.. A patch is available.

protobuf.js CVE-2026-44291

HIGH

Code Injection (CWE-94)

2026-05-12 https://github.com/protobufjs/protobuf.js

GHSA-75px-5xx7-5xc7

RCE Code Injection

8.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Source Code Evidence Fetched

May 12, 2026 - 16:00 vuln.today

Analysis Generated

May 12, 2026 - 16:00 vuln.today

CVE Published

May 12, 2026 - 15:01 nvd

HIGH 8.1

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

1,132 npm packages depend on protobufjs (57 direct, 1,076 indirect)

Ecosystem-wide dependent count for version 8.0.0.

DescriptionNVD

Summary

protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type information.

This could cause attacker-controlled strings to be emitted into generated JavaScript code.

Impact

An attacker who can first trigger a prototype pollution vulnerability may be able to influence generated protobufjs encode or decode functions in a way that can lead to arbitrary JavaScript execution.

This issue requires a separate prototype pollution primitive before protobufjs is invoked.

Applications without a reachable prototype pollution primitive are not directly exploitable through this issue alone.

Preconditions

The application or one of its dependencies must allow an attacker to pollute Object.prototype.
The polluted property must affect protobufjs internal type lookup behavior.
The application must use protobufjs functionality that generates encode or decode code for affected types.
The generated code path must be reached after the prototype pollution has occurred.

Workarounds

Avoid running affected versions in applications where attacker-controlled input can pollute Object.prototype. If immediate upgrade is not possible, remove or mitigate reachable prototype pollution primitives and isolate schema/message processing from untrusted application state.

AnalysisAI

Prototype pollution in protobuf.js type lookup tables enables remote code execution via code injection into generated encode/decode functions. Affects npm package protobuf.js versions ≤7.5.5 and 8.0.0-8.0.1. …

RemediationAI

Within 24 hours: Identify all internal applications and dependencies using protobuf.js via software bill of materials (SBOM) or npm audit. Within 7 days: Upgrade protobuf.js to version 7.5.6 or 8.0.2 (or later) across all affected applications and conduct dependency scanning. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-44291 vulnerability details – vuln.today

Back

protobuf.js CVE-2026-44291

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

Summary

Impact

Preconditions

Workarounds

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code