CVE-2026-1615_CVE-2026-1615

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P

Description

All versions of the package jsonpath are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply.

AI Analysis

Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions

Basic Information

ID CVE-2026-1615

Source snyk

Published Feb 9, 2026 at 05:00

Affected Product

Vendor n/a

Product jsonpath

Affected Versions n/a jsonpath 0
n/a org.webjars.npm:jsonpath 0

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor dchester

Product jsonpath

Version All versions

References

{
    "lastseen": "",
    "description": "All versions of the package jsonpath are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply.",
    "published": "2026-02-09T05:00:09.050Z",
    "modified": "2026-02-09T05:00:09.050Z",
    "type": "cve",
    "title": "CVE-2026-1615",
    "source": "snyk",
    "references": "https://security.snyk.io/vuln/SNYK-JS-JSONPATH-13645034\nhttps://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-15141219\nhttps://github.com/dchester/jsonpath/blob/c1dd8ec74034fb0375233abb5fdbec51ac317b4b/lib/handlers.js%23L243",
    "id": "CVE-2026-1615",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "n/a jsonpath 0\nn/a org.webjars.npm:jsonpath 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "jsonpath",
    "version": "0",
    "vendor": "n/a",
    "ai_description": "Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions",
    "ai_severity": "Critical",
    "ai_vendor": "dchester",
    "ai_product": "jsonpath",
    "ai_version": "All versions",
    "ai_score": 9.8
}