0x5t4l1n/CVE
1
0
Fork 0
mirror of https://github.com/0x5t4l1n/CVE.git synced 2026-05-26 11:25:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update CVE-2026-42290.md

Browse Source
This commit is contained in:
Stalin
2026-05-12 18:27:45 +05:30
committed by GitHub
parent 8cfcd2f8cd
commit 98140b9c79
1 changed files with 7 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
reported/CVE-2026-42290.md
+7 -1
View File
@@ -1,12 +1,17 @@
![CVE](https://img.shields.io/badge/CVE-2026--42290-red) ![CVE](https://img.shields.io/badge/CVE-2026--42290-red)
# CVE-2026-42290 — protobufjs `pbts` Command Injection via Unsanitized File Paths
# protobufjs `pbts` Command Injection via Unsanitized File Paths > CVE-2026-42290 has been officially published.
## Overview ## Overview
The `pbts` CLI tool in protobufjs constructed a shell command using unsanitized file paths and executed it via `child_process.exec`, allowing shell metacharacters in file names or paths to be interpreted by the shell. The `pbts` CLI tool in protobufjs constructed a shell command using unsanitized file paths and executed it via `child_process.exec`, allowing shell metacharacters in file names or paths to be interpreted by the shell.
**CVE ID:** CVE-2026-42290
**Affected Component:** protobufjs CLI (`pbts`)
**Severity:** High **Severity:** High
**Vulnerability Type:** Command Injection **Vulnerability Type:** Command Injection
@@ -58,3 +63,4 @@ The protobufjs runtime APIs for encoding, decoding, parsing, and loading protobu
## Discoverer ## Discoverer
**Stalin S** ([@0x5t4l1n](https://github.com/0x5t4l1n)) **Stalin S** ([@0x5t4l1n](https://github.com/0x5t4l1n))