diff --git a/reported/CVE-2026-42290.md b/reported/CVE-2026-42290.md
new file mode 100644
index 0000000..87868d6
--- /dev/null
+++ b/reported/CVE-2026-42290.md
@@ -0,0 +1,60 @@
+![CVE](https://img.shields.io/badge/CVE-2026--42290-red)
+
+
+# protobufjs `pbts` Command Injection via Unsanitized File Paths
+
+## Overview
+
+The `pbts` CLI tool in protobufjs constructed a shell command using unsanitized file paths and executed it via `child_process.exec`, allowing shell metacharacters in file names or paths to be interpreted by the shell.
+
+**Severity:** High
+
+**Vulnerability Type:** Command Injection
+
+**CWE:** CWE-78 (Improper Neutralization of Special Elements used in an OS Command)
+
+---
+
+## Description
+
+`pbts` invoked JSDoc by building a shell command string from input file paths and executing it through `child_process.exec`. File paths containing shell metacharacters could therefore be interpreted by the shell instead of being passed to JSDoc as plain arguments.
+
+This behavior allowed attacker-controlled file names or paths to inject arbitrary shell commands during execution of the `pbts` CLI tool.
+
+---
+
+## Impact
+
+* An attacker who can control file names or paths passed to `pbts` may be able to execute arbitrary shell commands.
+* Commands execute with the privileges of the process running `pbts`.
+* The issue affects the protobufjs CLI tooling workflow.
+
+The protobufjs runtime APIs for encoding, decoding, parsing, and loading protobuf messages are not directly affected by this issue.
+
+---
+
+## Preconditions
+
+* The application or user must invoke `pbts` on file paths influenced by an attacker.
+* The attacker must be able to supply or create a path containing shell-significant characters.
+* The vulnerable `pbts` version must execute the generated JSDoc command through a shell.
+
+---
+
+## Workarounds
+
+* Do not run affected versions of `pbts` on attacker-controlled file names or paths.
+* Sanitize or rename input files before invoking `pbts`.
+* Run the CLI in an isolated environment with minimal privileges if untrusted input cannot be avoided.
+
+---
+
+## References
+
+* https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-f84p-cvgm-xgjj
+
+---
+
+## Discoverer
+
+**Stalin S** ([@0x5t4l1n](https://github.com/0x5t4l1n))