CVE-2026-59876
MEDIUM
NVD
CVSS Score
4.8
Severity
MEDIUM
Published
Jul 08, 2026
Vendor
unknown
Description
protobufjs compiles protobuf definitions into JavaScript (JS) functions. From 8.2.0 until 8.6.5, the protobufjs Text Format extension parsed string-keyed map entries using ordinary property assignment, allowing a map entry with key __proto__ to change the prototype of the returned map object instead of creating an own map entry in protobufjs/ext/textformat. This issue is fixed in version 8.6.5.