What is the CVSS score of CVE-2026-44295?

CVE-2026-44295 has a CVSS 3.1 base score of 8.7 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of protobufjs-cli are affected by CVE-2026-44295?

CVE-2026-44295 is a code injection vulnerability in protobufjs-cli that allows attackers with schema control to inject malicious JavaScript into generated output files, potentially compromising…. A patch is available.

protobufjs-cli CVE-2026-44295

HIGH

Code Injection (CWE-94)

2026-05-12 https://github.com/protobufjs/protobuf.js

GHSA-6r35-46g8-jcw9

RCE Code Injection

8.7

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Source Code Evidence Fetched

May 12, 2026 - 16:01 vuln.today

Analysis Generated

May 12, 2026 - 16:01 vuln.today

CVE Published

May 12, 2026 - 15:06 nvd

HIGH 8.7

DescriptionNVD

Summary

pbjs static code generation could emit unsafe JavaScript identifiers derived from schema-controlled names. When generating static JavaScript from a crafted schema or JSON descriptor, certain namespace, enum, service, or derived full names could be written into the generated output without sufficient sanitization.

Impact

An attacker who can provide or influence schemas passed to pbjs may be able to cause generated JavaScript output to contain attacker-controlled code. The injected code would run if the generated file is later executed or imported by the application or build process.

This affects the protobufjs CLI static code generation path. Applications that only use trusted schemas, or that do not execute generated output from untrusted schemas, are not directly affected.

Preconditions

The application or build process must run pbjs static code generation on a schema or JSON descriptor influenced by an attacker.
The attacker-controlled input must contain crafted schema names that reach generated JavaScript output.
The generated JavaScript file must subsequently be executed, imported, or otherwise evaluated.

Workarounds

Do not run affected versions of pbjs static code generation on untrusted schemas or descriptors. If untrusted schemas must be accepted, validate schema names before code generation and run generation in an isolated environment.

AnalysisAI

Code injection in protobufjs-cli's pbjs static generator allows attackers who control protocol buffer schemas to inject malicious JavaScript code into generated output files. The vulnerability affects npm packages protobufjs-cli versions ≤1.2.0 and 2.0.0-2.0.1, with patches released in versions 1.2.1 and 2.0.2. …

RemediationAI

Within 24 hours: Inventory all projects and CI/CD pipelines using protobufjs-cli and identify current installed versions via npm list or package-lock.json. Within 7 days: Upgrade protobufjs-cli to version 1.2.1 (if using 1.x branch) or 2.0.2 (if using 2.x branch), test generated protobuf outputs in development environments, and verify no malicious modifications in existing generated code. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-44295 vulnerability details – vuln.today

Back