PatchSiren

Protobufjs Project CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH Protobufjs Project CVE published 2026-05-13

CVE-2026-44293

CVE-2026-44293 is a vulnerability in Protobufjs, a JavaScript library for working with Protocol Buffers. The vulnerability allows for attacker-controlled code to be emitted into the generated conversion function. This is due to an unsafe expression derived from a schema-controlled bytes field default value in the generated JavaScript for toObject conversion. A crafted descriptor with a non-string default [truncated]