TeleJSON < 6.0.0 DOM-based XSS via parse() Function_CVE-2026-47099

2.1 / 10

LOW

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Description

TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse() function that allows attackers to execute arbitrary JavaScript by delivering a crafted JSON payload containing a malicious _constructor-name_ property value. The custom reviver passes the constructor name directly to new Function() without sanitization when recreating object prototypes, enabling attackers to inject arbitrary JavaScript through vectors such as postMessage in cross-frame communication contexts to achieve script execution within the application.

Basic Information

ID CVE-2026-47099

Source VulnCheck

Published May 20, 2026 at 18:00

Affected Product

Vendor storybookjs

Product telejson

Affected Versions storybookjs telejson 0

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse() function that allows attackers to execute arbitrary JavaScript by delivering a crafted JSON payload containing a malicious _constructor-name_ property value. The custom reviver passes the constructor name directly to new Function() without sanitization when recreating object prototypes, enabling attackers to inject arbitrary JavaScript through vectors such as postMessage in cross-frame communication contexts to achieve script execution within the application.",
    "published": "2026-05-20T18:00:44.637Z",
    "modified": "2026-05-20T18:00:44.637Z",
    "type": "cve",
    "title": "TeleJSON < 6.0.0 DOM-based XSS via parse() Function",
    "source": "VulnCheck",
    "references": "https://github.com/storybookjs/telejson/security/advisories/GHSA-ccgf-5rwj-j3hv\nhttps://www.vulncheck.com/advisories/telejson-dom-based-xss-via-parse-function",
    "id": "CVE-2026-47099",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "storybookjs telejson 0",
    "sourceHref": "",
    "cvss": {
        "score": 2.1,
        "severity": "LOW",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "telejson",
    "version": "0",
    "vendor": "storybookjs",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}