CVE-2026-1615

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

ersions of the package jsonpath before 1.2.0 are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply.

References

Link	Resource
https://github.com/dchester/jsonpath/blob/c1dd8ec74034fb0375233abb5fdbec51ac317b4b/lib/handlers.js%23L243
https://github.com/dchester/jsonpath/commit/9631412641b7095f86840a7a45b5b3afc68b0fcb
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-15141219
https://security.snyk.io/vuln/SNYK-JS-JSONPATH-13645034

Configurations

No configuration.

History

17 Feb 2026, 14:16

Type	Values Removed	Values Added
References		() https://github.com/dchester/jsonpath/commit/9631412641b7095f86840a7a45b5b3afc68b0fcb -
Summary		(es) Todas las versiones del paquete jsonpath son vulnerables a Inyección de Código Arbitrario a través de la evaluación insegura de expresiones JSON Path proporcionadas por el usuario. La biblioteca se basa en el módulo static-eval para procesar la entrada JSON Path, el cual no está diseñado para manejar datos no confiables de forma segura. Un atacante puede explotar esta vulnerabilidad al proporcionar una expresión JSON Path maliciosa que, al ser evaluada, ejecuta código JavaScript arbitrario, lo que lleva a Ejecución Remota de Código en entornos Node.js o Cross-site scripting (XSS) en contextos de navegador. Esto afecta a todos los métodos que evalúan JSON Paths contra objetos, incluyendo .query, .nodes, .paths, .value, .parent y .apply.
Summary	(en) All versions of the package jsonpath are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply.	(en) Versions of the package jsonpath before 1.2.0 are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply.

09 Feb 2026, 05:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-09 05:16

Updated : 2026-02-23 11:16

NVD link : CVE-2026-1615

Mitre link : CVE-2026-1615

CVE.ORG link : CVE-2026-1615

JSON object : View

Products Affected

No product.

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

9.8 /10