What is CVE-2026-41242?

CVE-2026-41242 is a vulnerability in Protobufjs Protobuf.js, classified under Code Injection. Published 2026-04-18.

Is CVE-2026-41242 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

RCE in Protobufjs Protobuf.js

CVE-2026-41242

protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding…

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.000 (7.7th percentile) — read the EPSS interpretation.

Affected products

Protobufjs Protobuf.js — versions < 7.5.5, >= 8.0.0-experimental, < 8.0.1

Weakness classification (CWE)

CWE-94 — Code Injection

Public proof-of-concept exploits

4chech/CVE-2026-41242

References

https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg (x_refsource_CONFIRM)
https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75 (x_refsource_MISC)
https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956 (x_refsource_MISC)
https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5 (x_refsource_MISC)
https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-41242?: CVE-2026-41242 is a vulnerability in Protobufjs Protobuf.js, classified under Code Injection. Published 2026-04-18.
Is CVE-2026-41242 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.