{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5758", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "state": "PUBLISHED", "assignerShortName": "certcc", "dateReserved": "2026-04-07T17:20:03.756Z", "datePublished": "2026-04-15T17:20:13.551Z", "dateUpdated": "2026-04-15T18:55:45.526Z"}, "containers": {"cna": {"title": "Mafintosh's protocol-buffers-schema is vulnerable to prototype pollution", "descriptions": [{"lang": "en", "value": "JavaScript is vulnerable to prototype pollution in Mafintosh's protocol-buffers-schema Version 3.6.0, where an attacker may alter the application logic, bypass security checks, cause a DoS or achieve remote code execution."}], "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Mafintosh", "product": "Protocol-buffers-schema parser", "versions": [{"status": "affected", "version": "3.6.0", "lessThan": "3.6.1", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "references": [{"url": "https://github.com/mafintosh/protocol-buffers-schema/pull/70"}, {"url": "https://morielharush.github.io/2026/04/12/cve-2026-5758-protocol-buffers-schema-prototype-pollution/"}], "x_generator": {"engine": "VINCE 3.0.35", "env": "prod", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-5758"}, "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-04-15T17:23:02.336Z"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T18:55:12.559324Z", "id": "CVE-2026-5758", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T18:55:45.526Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-5758", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T18:55:12.559324Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T18:55:39.046Z"}}], "cna": {"title": "Mafintosh's protocol-buffers-schema is vulnerable to prototype pollution", "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Mafintosh", "product": "Protocol-buffers-schema parser", "versions": [{"status": "affected", "version": "3.6.0", "lessThan": "3.6.1", "versionType": "custom"}]}], "references": [{"url": "https://github.com/mafintosh/protocol-buffers-schema/pull/70"}, {"url": "https://morielharush.github.io/2026/04/12/cve-2026-5758-protocol-buffers-schema-prototype-pollution/"}], "x_generator": {"env": "prod", "engine": "VINCE 3.0.35", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-5758"}, "descriptions": [{"lang": "en", "value": "JavaScript is vulnerable to prototype pollution in Mafintosh's protocol-buffers-schema Version 3.6.0, where an attacker may alter the application logic, bypass security checks, cause a DoS or achieve remote code execution."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-04-15T17:23:02.336Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5758", "state": "PUBLISHED", "dateUpdated": "2026-04-15T18:55:45.526Z", "dateReserved": "2026-04-07T17:20:03.756Z", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "datePublished": "2026-04-15T17:20:13.551Z", "assignerShortName": "certcc"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "JavaScript is vulnerable to prototype pollution in Mafintosh's protocol-buffers-schema Version 3.6.0, where an attacker may alter the application logic, bypass security checks, cause a DoS or achieve remote code execution."}], "id": "CVE-2026-5758", "lastModified": "2026-04-15T20:16:38.103", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-15T18:17:24.920", "references": [{"source": "cret@cert.org", "url": "https://github.com/mafintosh/protocol-buffers-schema/pull/70"}, {"source": "cret@cert.org", "url": "https://morielharush.github.io/2026/04/12/cve-2026-5758-protocol-buffers-schema-prototype-pollution/"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Received"}

{"bugzilla": {"description": "protocol-buffers-schema: protocol-buffers-schema: Remote code execution via prototype pollution", "id": "2458736", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458736"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "status": "draft"}, "cwe": "CWE-915", "details": ["A flaw was found in the `protocol-buffers-schema` JavaScript library. This vulnerability, known as prototype pollution, allows an attacker to inject malicious properties into an object's core definition. This could enable an attacker to change how an application behaves, bypass security measures, or cause the application to stop working (Denial of Service). In specific circumstances, this flaw could potentially lead to an attacker running unauthorized code on the system."], "mitigation": {"lang": "en:us", "value": "If using protocol-buffers-schema, perform the following checks to help mitigate the impact of this vulnerability:\n1. Do not parse `.proto` files from untrusted or semi-trusted sources (ex. user uploads, external repos, third-party APIs, etc.). \n2. Audit downstream code for prototype pollution gadgets (ex. template engines, ORM configs, HTTP frameworks). \n3. Consider freezing `Object.prototype` in security-sensitive contexts as a defense-in-depth measure (ex. `Object.freeze(Object.prototype);`). \nIf maintaining a parser or config loader:\n1. Never use `reduce` or bracket notation to walk user-controlled paths without filtering dangerous keys. \n2. Block `__proto__`, `constructor`, and `prototype` explicitly in any path traversal logic. \n3. Add negative test cases to verify that prototype pollution does not occur."}, "name": "CVE-2026-5758", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:4", "fix_state": "Fix deferred", "package_name": "grafana-infinity-datasource-npm", "product_name": "Cryostat 4"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Fix deferred", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-mlflow-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:ansible_portal:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform/automation-portal", "product_name": "Self-service automation portal 2"}], "public_date": "2026-04-15T17:20:13Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-5758\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-5758\nhttps://github.com/mafintosh/protocol-buffers-schema/pull/70\nhttps://morielharush.github.io/2026/04/12/cve-2026-5758-protocol-buffers-schema-prototype-pollution/"], "statement": "Red Hat rates this flaw as Moderate. `protocol-buffers-schema` is a library and does not run on its own, as such, it requires an application to call it and utilize the vulnerable parsing functionality. When the pollution occurs, that application may read whatever malicious property was injected by the attacker, but then has to make a security-relevant decision (ex. granting access, spawning a process, etc.) and do it without checking whether the property actually belongs to the object or was inherited. As such, the impact of this vulnerability is entirely determined by what else is running in the process that calls the library along with what what permissions and checks it has, making the worst-case scenario of RCE only possible if that process is itself vulnerable.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.6.0,3.6.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Protocol-buffers-schema parser", "source": "cna", "vendor": "Mafintosh"}, "product": "protocol-buffers-schema_parser", "vendor": "mafintosh"}], "analysis": {"en": {"generated_at": "2026-04-17T09:23:26.284998+00:00", "value": {"mitigation_remediation": ["Upgrade the protocol\u2011buffers\u2011schema package to the latest available release (post\u20113.6.0) or apply the patch contained in version\u202f3.6.1 or newer.", "If an immediate upgrade is not possible, hard\u2011enforce input validation by restricting the parser to trusted, whitelisted protocol buffer definitions and ensuring that no untrusted data reaches the vulnerable code.", "Lock the dependency in package-lock.json or use npm\u2011audit to block the installation of the vulnerable 3.6.0 version and audit existing installations for the presence of that release."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via prototype pollution"}, "threat_synthesis": {"affected_systems": "The affected product is Mafintosh\u2019s protocol\u2011buffers\u2011schema parser, specifically version\u202f3.6.0. Any Node.js application that imports or depends on this version of the package is at risk. The vulnerability is tied solely to this single version; newer releases include fixes.", "description_and_impact": "An attacker can use JavaScript prototype pollution in the Mafintosh protocol-buffers-schema library version 3.6.0 to modify properties on Object.prototype, as identified in the vulnerability entry. Such manipulation can alter application behavior, undermine authentication or authorization checks, trigger denial\u2011of\u2011service states, or in some contexts enable the execution of arbitrary code by the vulnerable host. The impact therefore includes potential code execution in addition to integrity compromise depending on how the parsed data is used in the target application.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate severity. An EPSS score of less than 1% indicates a very low but non\u2011zero probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, so the current exploitation probability remains low. The vulnerability is typically exploitable remotely: an attacker can supply a crafted protocol buffer message to the vulnerable parser, thereby influencing the prototype chain before other application logic processes the data. Because prototype pollution can alter fundamental language behavior, the potential impact can be significant if the corrupted objects are later used for privileged operations."}}}}, "created": "2026-04-15T19:30:12.379847+00:00", "updated": "2026-04-17T09:30:14.470522+00:00", "vendors": ["mafintosh", "mafintosh$PRODUCT$protocol-buffers-schema_parser"]}