CVE-2026-41242

CRITICAL

protobufjs Type Fields - Arbitrary Code Execution

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-41242. PoCs published by 4chech.

AI-analyzed exploit summary The repository contains only node_modules dependencies (protobufjs libraries) with no actual exploit code or technical details related to CVE-2026-41242. No PoC, scanner, or writeup is present.

Description

protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.

Exploits (1)

github STUB
by 4chech · javascriptpoc
https://github.com/4chech/CVE-2026-41242

The repository contains only node_modules dependencies (protobufjs libraries) with no actual exploit code or technical details related to CVE-2026-41242. No PoC, scanner, or writeup is present.

Classification
Stub 95%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Apr 26, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v3 9.8
EPSS 0.0057
EPSS Percentile 42.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-94
Status published
Products (5)
npm/protobufjs 8.0.0 - 8.0.1npm
protobufjs/protobuf.js < 7.5.5
protobufjs/protobuf.js >= 8.0.0-experimental, < 8.0.1
protobufjs_project/protobufjs 8.0.0
protobufjs_project/protobufjs < 7.5.5
Published Apr 18, 2026
Tracked Since Apr 18, 2026