Home > Vulnerability Database > CVE-2026-1245

Mend.io Vulnerability Database

CVE-2026-1245

Good to know:

Date: January 20, 2026

A code injection vulnerability in the binary-parser library prior to version 2.3.0 allows arbitrary JavaScript code execution when untrusted values are used in parser field names or encoding parameters. The library directly interpolates these values into dynamically generated code without sanitization, enabling attackers to execute arbitrary code in the context of the Node.js process.

Severity Score

9.8

Related Resources (8)

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-1245

Url: https://github.com/keichi/binary-parser

Url: https://www.npmjs.com/package/binary-parser

Url: https://www.cve.org/CVERecord?id=CVE-2026-1245

Url: https://www.kb.cert.org/vuls/id/102648

Url: https://github.com/keichi/binary-parser/pull/283

Url: https://kb.cert.org/vuls/id/102648

Url: https://www.mend.io/vulnerability-database/CVE-2026-1245

Severity Score

9.8

Weakness Type (CWE)

Improper Control of Generation of Code ('Code Injection')

CWE-94

Top Fix

Upgrade Version

Upgrade to version binary-parser - 2.3.0;https://github.com/keichi/binary-parser.git - v2.3.0

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2026-1245

Good to know:

Date: January 20, 2026

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?