THREAT OPS › Threat News › [NVD] CVE-2026-44293 (HIGH 8.8) — protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a no
[NVD] CVE-2026-44293 (HIGH 8.8) — protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a no
CVE-2026-44293 CVSS: 8.8 HIGH Published: 2026-05-13T16:16:56.253
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default value for a bytes field could cause a
MITRE ATT&CK techniques
- JavaScriptT1059.007
Indicators of compromise
- CVE-2026-44293cve
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-44293