VDB

CVE-2026-1245

CVE-2026-1245 PUBLISHED CVSS 9.300000190734863 CRITICAL

A code injection vulnerability in the binary-parser library prior to version 2.3.0 allows arbitrary JavaScript code execution when untrusted values are used in parser field names or encoding parameters. The library directly interpolates these values into dynamically generated code without sanitization, enabling attackers to execute arbitrary code in the context of the Node.js process.

EPSS 0.09% · 25.1th percentile

Risk Scores

CVSS 4.0
9.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
EPSS Score
0.09%
25.1th percentile

Affected Products

VendorProductVersions
binary-parserbinary-parser0, 0
npmbinary-parser0, 0
keichibinary-parser0, 0

Timeline

  • Jan 20, 2026 CVE Published
  • Jan 21, 2026 CVE Updated
  • Jan 21, 2026 EPSS Score
  • Jan 21, 2026 PoC Published
  • Jan 21, 2026 PoC Published
  • Jan 21, 2026 PoC Published
  • Jan 21, 2026 PoC Published
  • Jan 22, 2026 PoC Published
  • Jan 22, 2026 PoC Published
  • Jan 24, 2026 EPSS Score
  • Jan 26, 2026 EPSS Score
  • Jan 26, 2026 PoC Published
Open in Interactive Console →
$ Console Community · 100/wk Open console ›