Strix
26.1K

CVE-2026-44295

HIGHCVSS 8.7/10EPSS 0.40%

Last modified

CVE-2026-44295 is a high-severity vulnerability rated 8.7/10 on the CVSS scale. protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbjs static code generation could emit unsafe JavaScript identifiers derived from schema-controlled names. EPSS estimates a 0.40% chance of exploitation in the next 30 days.

Description

protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbjs static code generation could emit unsafe JavaScript identifiers derived from schema-controlled names. When generating static JavaScript from a crafted schema or JSON descriptor, certain namespace, enum, service, or derived full names could be written into the generated output without sufficient sanitization. This vulnerability is fixed in 1.2.1 and 2.0.2.

Metrics

CVSS 3.1
8.7/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

EPSS Probability
0.40%

31.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
Protobufjs ProjectProtobufjs-Cli< 1.2.1
Protobufjs ProjectProtobufjs-Cli>= 2.0.0, < 2.0.2

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2026-44295?
protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbjs static code generation could emit unsafe JavaScript identifiers derived from schema-controlled names. When generating static JavaScript from a crafted schema or JSON descriptor, certain namespace, enum, service, or derived full names could be written into the generated output without sufficient sanitization. This vulnerability is fixed in 1.2.1 and 2.0.2.
How severe is CVE-2026-44295?
CVE-2026-44295 has a CVSS score of 8.7/10 (HIGH severity). The EPSS model estimates a 0.40% probability of exploitation in the next 30 days.
How do I fix CVE-2026-44295?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-44295?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST