Description
pbts invoked JSDoc by building a shell command string from input file paths and executing it through child_process.exec. File paths containing shell metacharacters could therefore be interpreted by the shell instead of being passed to JSDoc as plain arguments.
Recommendation
Update the protobufjs-cli package to the latest compatible version. Followings are version details:
Affected version(s): **>= 2.0.0, <= 2.0.1 <= 1.2.0** Patched version(s): **2.0.2 1.2.1**
References
Related Issues
- Systeminformation vulnerable to Linux command injection in networkInterfaces() via unsanitized NetworkManager connection - CVE-2026-44724
- @apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input - CVE-2026-42853
- @elgentos/magento2-dev-mcp vulnerable to command injection - CVE-2026-5603
- protobuf.js: Code injection in pbjs static output from crafted schema names - CVE-2026-44295
You might also like:
- Tags:
- npm
- protobufjs-cli
Anything's wrong? Let us know Last updated on May 14, 2026