Skip to main content

jsonata CVE-2026-12208

| EUVD-2026-36682 MEDIUM
Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)
2026-06-15 VulDB GHSA-663r-x48j-fg8p
Prototype Pollution Information Disclosure Jsonata
5.5
CVSS 4.0 · Vendor: VulDB
Share

Severity by source

Vendor (VulDB) PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

Network-reachable with no authentication or user interaction; integrity impact limited to low as direct prototype pollution does not guarantee full system write without application-layer escalation.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
CVSS changed
Jun 15, 2026 - 03:22 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
Analysis Generated
Jun 15, 2026 - 03:15 vuln.today

DescriptionCVE.org

A weakness has been identified in jsonata-js jsonata up to 2.2.0. The affected element is the function createFrame of the file src/jsonata.js of the component Function Binding Frame System. This manipulation causes improperly controlled modification of object prototype attributes. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Prototype pollution in jsonata-js (all versions up to 2.2.0) allows remote unauthenticated attackers to inject arbitrary properties into JavaScript's Object.prototype via the createFrame function in src/jsonata.js. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) with exploitation status E:P confirms this is network-exploitable with zero prerequisites, and a public proof-of-concept has been published on GitHub demonstrating a hasOwnProperty guard bypass. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send crafted jsonata expression with __proto__ binding key
Delivery
Reach createFrame in src/jsonata.js
Exploit
Bypass hasOwnProperty guard via known technique
Execution
Inject arbitrary property into Object.prototype
Persist
Corrupt runtime-wide object inheritance
Impact
Exploit polluted prototype in downstream authorization or logic checks
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application passes attacker-controlled or attacker-influenced content as keys within jsonata expressions or variable binding frames evaluated by createFrame in src/jsonata.js. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.9 (Medium) captures only the direct, base-level integrity impact (VI:L) and understates realistic risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targeting a web application that evaluates user-supplied jsonata expressions sends a crafted query containing a payload that uses __proto__ or a similar prototype-chain key as a variable binding name within the expression, reaching the vulnerable createFrame function. Because the POC (https://github.com/OriginSecurityX/jsonata-hasownproperty-bypass) demonstrates a bypass of the hasOwnProperty guard, standard naive prototype-pollution defenses in the library are insufficient to block the injection. …
Remediation No vendor-released patch has been identified at time of analysis - the vendor did not respond to coordinated disclosure and no fixed version of jsonata has been confirmed. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-12209 MEDIUM POC
5.5 Jun 15

Prototype pollution in RubyLouvre Avalon's Template Filter Handler (src/filters/index.js) allows remote unauthenticated

CVE-2026-48713 CRITICAL
9.1 Jun 15

Prototype pollution in i18next-fs-backend versions prior to 2.6.6 allows remote attackers to write arbitrary properties

CVE-2026-48714 CRITICAL
9.1 Jun 15

Remote prototype pollution in i18next-http-middleware before 3.9.7 allows unauthenticated attackers to write to Object.p
CVE-2026-53609 CRITICAL
9.1 Jun 12

Prototype pollution in ApostropheCMS versions up to and including 4.30.0 allows an authenticated editor to poison Object
CVE-2026-54312 HIGH
8.5 Jun 16

Denial of service in n8n workflow automation platform versions prior to 2.24.0 allows authenticated users with workflow

Share

CVE-2026-12208 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy