{"url":"http://public2.vulnerablecode.io/api/packages/373621?format=json","purl":"pkg:npm/protobufjs@8.0.1","type":"npm","namespace":"","name":"protobufjs","version":"8.0.1","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"8.0.2","latest_non_vulnerable_version":"8.2.0","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/81056?format=json","vulnerability_id":"VCID-sbyg-dk24-2kb9","summary":"protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the \"type\" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-41242.json","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-41242.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41242","reference_id":"","reference_type":"","scores":[{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07698","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41242"},{"reference_url":"https://github.com/protobufjs/protobuf.js","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/protobufjs/protobuf.js"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41242","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41242"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2459442","reference_id":"2459442","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2459442"},{"reference_url":"https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75","reference_id":"535df444ac060243722ac5d672db205e5c531d75","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-20T16:03:39Z/"}],"url":"https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75"},{"reference_url":"https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956","reference_id":"ff7b2afef8754837cc6dc64c864cd111ab477956","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-20T16:03:39Z/"}],"url":"https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956"},{"reference_url":"https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg","reference_id":"GHSA-xq3m-2v4x-88gg","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-20T16:03:39Z/"}],"url":"https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg"},{"reference_url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5","reference_id":"protobufjs-v7.5.5","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-20T16:03:39Z/"}],"url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5"},{"reference_url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1","reference_id":"protobufjs-v8.0.1","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-20T16:03:39Z/"}],"url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:21338","reference_id":"RHSA-2026:21338","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:21338"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:24977","reference_id":"RHSA-2026:24977","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:24977"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373622?format=json","purl":"pkg:npm/protobufjs@7.5.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/protobufjs@7.5.5"},{"url":"http://public2.vulnerablecode.io/api/packages/373621?format=json","purl":"pkg:npm/protobufjs@8.0.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/protobufjs@8.0.1"}],"aliases":["CVE-2026-41242","GHSA-xq3m-2v4x-88gg"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sbyg-dk24-2kb9"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/protobufjs@8.0.1"}