RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: poc (2 articles)Clear
vulnerability
2026-04-18

Critical protobuf.js RCE hits JavaScript ecosystem - 50M weekly npm downloads, PoC published (GHSA-xq3m-2v4x-88gg)

Security firm Endor Labs disclosed a critical remote code execution flaw in protobuf.js, a widely used JavaScript implementation of Google's Protocol Buffers with nearly 50 million weekly downloads on npm. The bug lets attackers achieve RCE when an application loads a malicious protobuf schema. Root cause: protobuf.js builds JavaScript functions from protobuf schemas by concatenating strings and executing them via the Function() constructor, but doesn't validate schema-derived identifiers like message names. An attacker can supply a crafted schema that injects arbitrary JavaScript into the generated function, which then runs when the app processes any message using that schema. This opens access to environment variables, credentials, databases, and internal systems - plus lateral movement within infrastructure. Developer machines are also at risk if they load and decode untrusted schemas locally. The flaw has a proof-of-concept exploit in Endor Labs' advisory and 'exploitation is straightforward' per the researchers, but no in-the-wild exploitation has been observed yet. No official CVE assigned - tracked as GHSA-xq3m-2v4x-88gg. Reported March 2 by Cristian Staicu, patched on GitHub March 11, npm patches released April 4 (8.x branch) and April 15 (7.x branch).

protobufprotobufjsnpmjavascriptnodejsrcesupply-chainpoc
Check
Audit your JavaScript and Node.js codebases plus transitive dependencies for protobuf.js. If you run any service that deserializes protobuf messages, treat this as urgent.
Affected
protobuf.js versions 8.0.0 and earlier on the 8.x branch, and 7.5.4 and earlier on the 7.x branch. The library is used for inter-service communication, real-time applications, and structured data storage in databases and cloud environments. Any app that loads attacker-influenced protobuf schemas is at risk - this includes services accepting schemas from users, partners, or untrusted registries.
Fix
Upgrade to protobuf.js 8.0.1 (8.x branch) or 7.5.5 (7.x branch). Check your package.json and package-lock.json for both direct and transitive dependencies - protobuf.js is often pulled in by other packages. For defense-in-depth per Endor Labs' guidance: treat schema-loading as untrusted input, prefer precompiled or static schemas in production, and audit transitive dependencies that may still pin an older protobuf.js version even after you upgrade your direct dependency.
vulnerability
CVE-2026-39808
2026-04-17

Fortinet FortiSandbox unauthenticated RCE (CVE-2026-39808) has public PoC - day-after recovery from April 17

Day-after recovery: a PoC exploit for a critical vulnerability in Fortinet's FortiSandbox product has been publicly available since April 17. CVE-2026-39808 allows an unauthenticated attacker to execute arbitrary code on affected appliances via the web management interface. FortiSandbox is Fortinet's network-based malware analysis product used to inspect suspicious files before they reach endpoints. Because it sits in the malware analysis path, a compromised FortiSandbox gives attackers visibility into every suspicious file your environment has flagged, including real phishing attempts and incident samples. The PoC release doesn't indicate confirmed in-the-wild exploitation yet, but based on recent patterns the window between public PoC and mass scanning is typically measured in hours. CISA has not yet added this to KEV.

fortinetfortisandboxrcepocunauthenticatedday-after-recovery
Check
If your organization uses Fortinet FortiSandbox, apply Fortinet's security update immediately. Treat as priority-1 even without confirmed in-the-wild exploitation.
Affected
Fortinet FortiSandbox appliances running unpatched firmware. Check Fortinet's PSIRT advisory for CVE-2026-39808 for exact affected firmware versions and upgrade paths for your model.
Fix
Apply Fortinet's security update from the official PSIRT advisory. If patching is delayed, restrict network access to the FortiSandbox management interface to trusted admin IPs only - do not expose the management interface to the internet. Review FortiSandbox access logs for unusual HTTP requests to the management interface over the past 30 days.