CVE-2026-42290 HIGH

CVE-2026-42290: protobufjs-cli: OS Command Injection

Vendor Protobufjs

Product protobuf.js

Weakness CWE-78

Published May 13, 2026

Last update May 18, 2026

View on NVD All CVEs

CVSS base score

7.8/10

Attack vector Local

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbts invoked JSDoc by building a shell command string from input file paths and executing it through child_process.exec. File paths containing shell metacharacters could therefore be interpreted by the shell instead of being passed to JSDoc as plain arguments. This vulnerability is fixed in 1.2.1 and 2.0.2.

Key dates

02Disclosure timeline

May 13, 2026 CVE published

May 18, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-42290 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

Identifiers

CVE CVE-2026-42290

CWE CWE-78

CVSS 7.8 / HIGH

Affected versions

Vendor Protobufjs

Product protobuf.js

Affected >= 2.0.0, < 2.0.2

Vendor Protobufjs

Product protobuf.js

Affected < 1.2.1

CVE-2026-42290: protobufjs-cli: OS Command Injection

01Description

02Disclosure timeline

03References

04Related CVE