{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5758", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "state": "PUBLISHED", "assignerShortName": "certcc", "dateReserved": "2026-04-07T17:20:03.756Z", "datePublished": "2026-04-15T17:20:13.551Z", "dateUpdated": "2026-04-15T18:55:45.526Z"}, "containers": {"cna": {"title": "Mafintosh's protocol-buffers-schema is vulnerable to prototype pollution", "descriptions": [{"lang": "en", "value": "JavaScript is vulnerable to prototype pollution in Mafintosh's protocol-buffers-schema Version 3.6.0, where an attacker may alter the application logic, bypass security checks, cause a DoS or achieve remote code execution."}], "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Mafintosh", "product": "Protocol-buffers-schema parser", "versions": [{"status": "affected", "version": "3.6.0", "lessThan": "3.6.1", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "references": [{"url": "https://github.com/mafintosh/protocol-buffers-schema/pull/70"}, {"url": "https://morielharush.github.io/2026/04/12/cve-2026-5758-protocol-buffers-schema-prototype-pollution/"}], "x_generator": {"engine": "VINCE 3.0.35", "env": "prod", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-5758"}, "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-04-15T17:23:02.336Z"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T18:55:12.559324Z", "id": "CVE-2026-5758", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T18:55:45.526Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-5758", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T18:55:12.559324Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T18:55:39.046Z"}}], "cna": {"title": "Mafintosh's protocol-buffers-schema is vulnerable to prototype pollution", "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Mafintosh", "product": "Protocol-buffers-schema parser", "versions": [{"status": "affected", "version": "3.6.0", "lessThan": "3.6.1", "versionType": "custom"}]}], "references": [{"url": "https://github.com/mafintosh/protocol-buffers-schema/pull/70"}, {"url": "https://morielharush.github.io/2026/04/12/cve-2026-5758-protocol-buffers-schema-prototype-pollution/"}], "x_generator": {"env": "prod", "engine": "VINCE 3.0.35", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-5758"}, "descriptions": [{"lang": "en", "value": "JavaScript is vulnerable to prototype pollution in Mafintosh's protocol-buffers-schema Version 3.6.0, where an attacker may alter the application logic, bypass security checks, cause a DoS or achieve remote code execution."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-04-15T17:23:02.336Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5758", "state": "PUBLISHED", "dateUpdated": "2026-04-15T18:55:45.526Z", "dateReserved": "2026-04-07T17:20:03.756Z", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "datePublished": "2026-04-15T17:20:13.551Z", "assignerShortName": "certcc"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "JavaScript is vulnerable to prototype pollution in Mafintosh's protocol-buffers-schema Version 3.6.0, where an attacker may alter the application logic, bypass security checks, cause a DoS or achieve remote code execution."}], "id": "CVE-2026-5758", "lastModified": "2026-04-15T20:16:38.103", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-15T18:17:24.920", "references": [{"source": "cret@cert.org", "url": "https://github.com/mafintosh/protocol-buffers-schema/pull/70"}, {"source": "cret@cert.org", "url": "https://morielharush.github.io/2026/04/12/cve-2026-5758-protocol-buffers-schema-prototype-pollution/"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Received"}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T19:15:52.079474+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest available version of protocol-buffers-schema (post\u20113.6.0) or apply the patch provided in version 3.6.1 or later.", "If an upgrade is not immediately possible, isolate and hard\u2011enforce input validation so that only whitelisted, trusted protocol buffer definitions are parsed, preventing malicious data from reaching the vulnerable code.", "Use package-lock.json or npm\u2011audit to detect and block the vulnerable dependency from being installed in new environments, and audit existing installations for the presence of version 3.6.0."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via prototype pollution"}, "threat_synthesis": {"affected_systems": "The affected product is Mafintosh\u2019s protocol\u2011buffers\u2011schema parser, specifically version 3.6.0. Any application that depends on or loads this version is at risk.", "description_and_impact": "The protocol-buffers-schema library v3.6.0 is vulnerable to JavaScript prototype pollution. Exploitation allows an attacker to modify properties on Object.prototype, which can change application logic, bypass security checks, trigger denial\u2011of\u2011service conditions, or even lead to remote code execution depending on the target environment and how the parsed data is subsequently used.", "risk_and_exploitability": "No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, suggesting the current exploitation probability is unknown. The likely attack vector is remote, via an attacker supplying a crafted protocol buffer message to the vulnerable parser. Because prototype pollution can alter fundamental object behavior, the full impact can be significant if the application uses the corrupted objects for privileged operations."}}}}, "created": "2026-04-15T19:30:12.379847+00:00", "updated": "2026-04-15T19:30:12.379869+00:00", "vendors": [], "weaknesses": ["CWE-1174"]}