CVE-2026-42290

Published: May 13th, 2026
protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbts invoked JSDoc by building a shell command string from input file paths and executing it through child_process.exec. File paths containing shell metacharacters could therefore be interpreted by the shell instead of being passed to JSDoc as plain arguments. This vulnerability is fixed in 1.2.1 and 2.0.2.
HIGH
CVSS v3: 7.8

Status

DocFilters Release Package State Justification Comment
26.2 protobuf (3.0.0) Needs Triage
26.1 protobuf (3.0.0) Needs Triage
25.4 protobuf (3.0.0) Needs Triage
25.3 protobuf (3.0.0) Needs Triage
25.2 protobuf (3.0.0) Needs Triage
25.1 protobuf (3.0.0) Needs Triage
24.4 protobuf (3.0.0) Needs Triage
24.4.0 protobuf (3.0.0) Needs Triage
24.3 protobuf (3.0.0) Needs Triage
24.2 protobuf (3.0.0) Needs Triage
24.1 protobuf (3.0.0) Needs Triage
23.3 protobuf (3.0.0) Needs Triage
23.2 protobuf (3.0.0) Needs Triage
23.1 protobuf (3.0.0) Needs Triage
22.4 protobuf (3.0.0) Needs Triage
22.3 protobuf (3.0.0) Needs Triage
22.2 protobuf (3.0.0) Needs Triage
22.1 protobuf (3.0.0) Needs Triage
21.11 protobuf (3.0.0) Needs Triage
21.8 protobuf (3.0.0) Needs Triage
21.5.0 protobuf (3.0.0) Needs Triage
21.2.0 protobuf (3.0.0) Needs Triage
11.4.19.3667 protobuf (3.0.0) Needs Triage
11.4.18.3599 protobuf (3.0.0) Needs Triage
11.4.16.3445 protobuf (3.0.0) Needs Triage
11.4.15.3368 protobuf (3.0.0) Needs Triage
11.4.14.3263 protobuf (3.0.0) Needs Triage
11.4.13.3179 protobuf (3.0.0) Needs Triage
11.4.12.3054 protobuf (3.0.0) Needs Triage
11.4.11.3040 protobuf (3.0.0) Needs Triage
11.4.11.2990 protobuf (3.0.0) Needs Triage
11.4.10.2934 protobuf (3.0.0) Needs Triage
11.4.9.2878 protobuf (3.0.0) Needs Triage
11.4.8.2822 protobuf (3.0.0) Needs Triage

Severity score breakdown

Attack Complexity
LOW
Attack Vector
LOCAL
Availability Impact
HIGH
Base Score
7.8
Base Severity
HIGH
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Privileges Required
NONE
Scope
UNCHANGED
User Interaction
REQUIRED
Vector String
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Version
3.1

References