What is CVE-2026-55388?

CVE-2026-55388 is a high-severity vulnerability in Piscinajs Piscina, classified under Code Injection. CVSS score: 8.1/10. Published 2026-06-22.

How severe is CVE-2026-55388?

High severity. CVSS v3 base score is 8.1 out of 10.

RCE in Piscinajs Piscina

CVE-2026-55388

piscina is a node.js worker pool implementation. Prior to 6.0.0-rc.2, 5.2.0, and 4.9.3, piscina's constructor and run() paths read the filename option via plain member access. Both reads fall through the prototype chain when the caller's o…

Vulnerability class: RCE (Remote Code Execution)

CVSS v3 metric

CVSS v3 base score 8.1 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Piscinajs Piscina — versions < 4.9.3, >= 5.0.0-alpha.0, < 5.2.0, >= 6.0.0-rc.1, < 6.0.0-rc.2

Weakness classification (CWE)

CWE-94 — Code Injection
CWE-1321 — Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)

References

security-advisories@github.com (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2026-55388?: CVE-2026-55388 is a high-severity vulnerability in Piscinajs Piscina, classified under Code Injection. CVSS score: 8.1/10. Published 2026-06-22.
How severe is CVE-2026-55388?: High severity. CVSS v3 base score is 8.1 out of 10.