Cyber Posture

CVE-2026-42290

High

Published: 13 May 2026

Published
13 May 2026
Modified
13 May 2026
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0002 5.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42290 is a high-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 7.8 (High).

Operationally, ranked at the 5.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SC-27 Platform-independent Applications
addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

SI-10 Information Input Validation
addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

NVD Description

protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbts invoked JSDoc by building a shell command string from input file paths and executing it through child_process.exec. File paths containing shell metacharacters could therefore be interpreted…

more

by the shell instead of being passed to JSDoc as plain arguments. This vulnerability is fixed in 1.2.1 and 2.0.2.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s)
CWE-78

References