Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Protobuf.js Proto6 vulnerabilities multiple vulnerabilities denial-of-service flaw (CVE-2026-44291)

Vulnerability
First reported
Last updated
Happening score
H score 26
1 unique sources, 1 articles

Summary

Hide ▲

protobuf.js and protobufjs-cli have six newly disclosed vulnerabilities that can enable remote code execution or denial of service in Node.js environments processing untrusted Protobuf data. The flaws affect applications, cloud client libraries, messaging frameworks, and CI/CD pipelines that deserialize schemas or generate code from attacker-controlled inputs. The most severe issue, CVE-2026-44291, can lead to arbitrary JavaScript execution, and fixes are available.

Related Happenings

Protobuf.js unsafe dynamic code generation RCE flaw

Vulnerability
H score40 First: 18.04.2026 18:09 Last: 18.04.2026 18:09 Sources 1

About this happening: A **proof-of-concept exploit** is now public for a **critical RCE flaw** in **protobuf.js**, putting **versions 8.0.0/7.5.4 and lower** at risk of code execution. The weakness com...

Open Happening

Timeline

  1. 10.06.2026 08:08 2 articles · 2h ago

    Six Proto6 vulnerabilities in protobuf.js expose Node.js apps to RCE and DoS

    Initial Disclosure

    Cybersecurity researchers disclosed six vulnerabilities in protobuf.js and protobufjs-cli that can enable remote code execution or denial of service in Node.js environments handling malicious protobuf schemas, descriptors, or crafted payloads. The flaws, grouped as Proto6, affect Node.js applications, Google Cloud client libraries, messaging frameworks like Baileys, and CI/CD pipelines, with patches available in protobufjs 7.5.6 and 8.0.2 and protobufjs-cli 1.2.1 and 2.0.2.

    Show sources
    Open in new tab