Description
pbts invoked JSDoc by building a shell command string from input file paths and executing it through child_process.exec. File paths containing shell metacharacters could therefore be interpreted by the shell instead of being passed to JSDoc as plain arguments.
Recommendation
Update the protobufjs-cli package to the latest compatible version. Followings are version details:
Affected version(s): **>= 2.0.0, <= 2.0.1 <= 1.2.0** Patched version(s): **2.0.2 1.2.1**
References
Related Issues
- protobuf.js: Code injection in pbjs static output from crafted schema names - CVE-2026-44295
- @siteboon/claude-code-ui is Vulnerable to Shell Command Injection in Git Routes - CVE-2026-31861
- @elgentos/magento2-dev-mcp vulnerable to command injection - CVE-2026-5603
- Systeminformation vulnerable to Linux command injection in networkInterfaces() via unsanitized NetworkManager connection - CVE-2026-44724
You might also like:
- Tags:
- npm
- protobufjs-cli
Anything's wrong? Let us know Last updated on May 14, 2026


