PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-59876 protobufjs CVE debrief

The CVE record for CVE-2026-59876 was published on 2026-07-08T16:16:34.233Z. This issue affects protobufjs versions between 8.2.0 and 8.6.4. The vulnerability allows a map entry with key __proto__ to change the prototype of the returned map object. Users of affected versions should update to version 8.6.5. The NVD entry is currently Awaiting Analysis.

Vendor
protobufjs
Product
protobuf.js
CVSS
MEDIUM 4.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-10
Advisory published
2026-07-08
Advisory updated
2026-07-10

Who should care

Users of protobufjs versions between 8.2.0 and 8.6.4 should update to version 8.6.5 to fix the vulnerability. This includes developers and maintainers of applications using protobufjs within the affected version range. Security teams should review and update affected systems and applications.

Technical summary

The protobufjs Text Format extension incorrectly parsed string-keyed map entries using ordinary property assignment, allowing a map entry with key __proto__ to change the prototype of the returned map object instead of creating an own map entry. This issue affects protobufjs versions between 8.2.0 and 8.6.4. The vulnerability was fixed in version 8.6.5, which correctly handles map entries. Users of affected versions should update to version 8.6.5 to fix the vulnerability. Limited information is available on potential exploitation attempts, and users should verify their deployments and review official advisories for affected scope and severity. Evidence is based on official CVE and NVD records, with limited additional context. The issue has a CVSS score of 4.8 and is considered Medium priority due to potential for prototype pollution.

Defensive priority

Medium priority due to CVSS score of 4.8 and potential for prototype pollution.

Recommended defensive actions

  • Update to protobufjs version 8.6.5 or later
  • Review and update affected systems and applications
  • Monitor for potential exploitation attempts
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The vulnerability was fixed in version 8.6.5. Limited information available on potential exploitation. Users should verify their deployments and review official advisories for affected scope and severity. Evidence is based on official CVE and NVD records, with limited additional context.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T16:16:34.233Z and has not been modified since then.