These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-59877 is a medium-severity vulnerability in protobufjs, a JavaScript library for working with Protocol Buffers. The vulnerability causes an infinite loop when parsing a specially crafted .proto schema. This issue has been fixed in versions 7.6.5 and 8.6.6 of protobufjs. The vulnerability arises from the way protobufjs parses option names in .proto schema files, allowing a crafted .proto schema th [truncated]
The CVE record for CVE-2026-59876 was published on 2026-07-08T16:16:34.233Z. This issue affects protobufjs versions between 8.2.0 and 8.6.4. The vulnerability allows a map entry with key __proto__ to change the prototype of the returned map object. Users of affected versions should update to version 8.6.5. The NVD entry is currently Awaiting Analysis.
CVE-2026-54270 is a vulnerability in Protobufjs, a JavaScript library for compiling protobuf definitions. From versions 8.2.0 to 8.4.2, Protobufjs preserved unknown wire elements in message.$unknowns without a decode-time option to discard them. This could lead to a significant increase in memory usage when decoding untrusted protobuf data. The issue was addressed in Protobufjs 8.5.0 with the addition of [truncated]
A code generation vulnerability in protobufjs-cli allows unsafe JavaScript identifiers to be emitted when generating static code from crafted Protocol Buffer schemas or JSON descriptors. The pbjs tool fails to sufficiently sanitize namespace, enum, service, and derived full names controlled by schema input, potentially resulting in code injection in generated output. This affects static code generation wo [truncated]
CVE-2026-44289 is a denial of service vulnerability in protobufjs, a JavaScript library for working with Protocol Buffers. The vulnerability allows for a denial of service attack by causing the JavaScript call stack to be exhausted during decoding of nested protobuf data. This issue was fixed in versions 7.5.6 and 8.0.2 of protobufjs. The vulnerability has a CVSS score of 7.5 and is considered high severi [truncated]
A command injection vulnerability exists in protobufjs-cli, the command-line add-on for protobuf.js. The `pbts` tool constructs shell command strings from input file paths and executes them via `child_process.exec` without proper sanitization. File paths containing shell metacharacters can be interpreted by the shell rather than passed as literal arguments to JSDoc, enabling arbitrary code execution. This [truncated]
CVE-2026-41242 is a critical vulnerability in protobufjs, a JavaScript library for working with Protocol Buffers. The vulnerability allows attackers to inject arbitrary code in the 'type' fields of protobuf definitions, which can then be executed during object decoding. This issue affects versions prior to 8.0.1 and 7.5.5. The vulnerability has a CVSS score of 9.4 and is considered critical. Protobufjs Pr [truncated]