What is CVE-2026-44291?

CVE-2026-44291 is a high-severity vulnerability in Protobufjs Protobuf.js, classified under Code Injection. CVSS score: 8.1/10. Published 2026-05-13.

How severe is CVE-2026-44291?

High severity. CVSS v3 base score is 8.1 out of 10.

RCE in Protobufjs Protobuf.js

CVE-2026-44291

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Ob…

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.000 (6.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.1 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Protobufjs Protobuf.js — versions < 7.5.6, >= 8.0.0, < 8.0.2
Protobufjs_project Protobufjs

Weakness classification (CWE)

CWE-94 — Code Injection

References

security-advisories@github.com (x_refsource_CONFIRM, Mitigation, Vendor Advisory)

Frequently asked questions

What is CVE-2026-44291?: CVE-2026-44291 is a high-severity vulnerability in Protobufjs Protobuf.js, classified under Code Injection. CVSS score: 8.1/10. Published 2026-05-13.
How severe is CVE-2026-44291?: High severity. CVSS v3 base score is 8.1 out of 10.