JavaScript Injection Vulnerability in Protobuf.js Versions 8.2.0 to 8.6.5
CVE-2026-59876

4.8MEDIUM

Key Information:

Vendor

Protobufjs

Vendor
CVE Published:
8 July 2026

What is CVE-2026-59876?

A vulnerability in the Protobuf.js Text Format extension allows the parsing of string-keyed map entries using ordinary property assignment. This vulnerability occurs in versions ranging from 8.2.0 to 8.6.5, enabling a map entry with the key 'proto' to unintentionally alter the prototype of the returned map object. Consequently, such prototype manipulation could lead to unexpected behavior or potential security issues within applications using affected versions. The issue has been successfully addressed in Protobuf.js version 8.6.5.

Affected Version(s)

protobuf.js >= 8.2.0, < 8.6.5

References

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.