CVE-2026-44290

High

Published: 13 May 2026

Published

13 May 2026

Modified

14 May 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0004 13.2th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-44290 is a high-severity Prototype Pollution (CWE-1321) vulnerability in Protobufjs Project Protobufjs. Its CVSS base score is 7.5 (High).

Operationally, ranked at the 13.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

NVD Description

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf schema or JSON descriptor could cause option handling to…

write to properties on global JavaScript constructors, corrupting process-wide built-in functionality. This vulnerability is fixed in 7.5.6 and 8.0.2.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-1321

Affected Products

protobufjs project

protobufjs

≤ 7.5.6 · 8.0.0 — 8.0.2

References

https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-jvwf-75h9-cwgg
Mitigation, Vendor Advisory · security-advisories@github.com