Vulnerability Details CVE-2026-59876
protobufjs compiles protobuf definitions into JavaScript (JS) functions. From 8.2.0 until 8.6.5, the protobufjs Text Format extension parsed string-keyed map entries using ordinary property assignment, allowing a map entry with key __proto__ to change the prototype of the returned map object instead of creating an own map entry in protobufjs/ext/textformat. This issue is fixed in version 8.6.5.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 12.6%
CVSS Severity
CVSS v3 Score 4.8
Products affected by CVE-2026-59876
-
cpe:2.3:a:protobufjs_project:protobufjs:8.2.0
-
cpe:2.3:a:protobufjs_project:protobufjs:8.2.1
-
cpe:2.3:a:protobufjs_project:protobufjs:8.3.0
-
cpe:2.3:a:protobufjs_project:protobufjs:8.4.0
-
cpe:2.3:a:protobufjs_project:protobufjs:8.4.1
-
cpe:2.3:a:protobufjs_project:protobufjs:8.4.2
-
cpe:2.3:a:protobufjs_project:protobufjs:8.5.0
-
cpe:2.3:a:protobufjs_project:protobufjs:8.6.0
-
cpe:2.3:a:protobufjs_project:protobufjs:8.6.1
-
cpe:2.3:a:protobufjs_project:protobufjs:8.6.2
-
cpe:2.3:a:protobufjs_project:protobufjs:8.6.3
-
cpe:2.3:a:protobufjs_project:protobufjs:8.6.4