jsonpath CVE-2026-1615
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (snyk).
CVSS VectorVendor: snyk
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7Blast Radius
ecosystem impact- 49,192 npm packages depend on jsonpath (1,299 direct, 47,928 indirect)
Ecosystem-wide dependent count for version 1.3.0.
DescriptionCVE.org
Versions of the package jsonpath before 1.2.0 are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply.
AnalysisAI
Remote code execution in the jsonpath npm package (versions <1.2.0) allows unauthenticated attackers to execute arbitrary JavaScript code by injecting malicious JSON Path expressions. The vulnerability stems from unsafe evaluation through the static-eval module, which processes user-supplied JSON Path input without proper sanitization. All query methods (.query, .nodes, .paths, .value, .parent, .apply) are affected. While EPSS scoring indicates relatively low widespread exploitation probability (0.09%, 26th percentile), multiple vendor patches from Red Hat and SUSE confirm the severity, and publicly available exploit code exists (CVSS E:P). This represents critical risk for Node.js applications processing untrusted JSON Path expressions, with potential for both server-side RCE and browser-based XSS depending on execution context.
Technical ContextAI
The jsonpath library is a Node.js implementation of JSONPath query syntax for traversing and extracting data from JSON structures. The vulnerability resides in the library's dependency on the static-eval module to evaluate user-supplied JSON Path expressions. CWE-94 (Improper Control of Generation of Code) occurs because static-eval was not designed as a security boundary for untrusted input. When processing JSON Path queries containing executable JavaScript constructs, the evaluation engine interprets and executes the code rather than treating it as data. The vulnerable code path is in lib/handlers.js (line 243 per references), where expression evaluation occurs without input validation or sandboxing. This architectural flaw affects all methods that traverse JSON objects using evaluated expressions, creating multiple attack surfaces across the API.
Affected ProductsAI
The vulnerability affects the jsonpath npm package versions prior to 1.2.0, used primarily in Node.js server environments and browser-based JavaScript applications. The package is also distributed through WebJars for Java ecosystems (org.webjars.npm:jsonpath, referenced in SNYK-JAVA-ORGWEBJARSNPM-15141219). Red Hat Enterprise Linux and related products incorporating this library are affected, as evidenced by RHSA-2026:6174, RHSA-2026:6308, RHSA-2026:6309, RHSA-2026:6404, and RHSA-2026:6802. SUSE Linux distributions are similarly affected per SUSE-SU-2026:1008, 1013, 1035, and 1148. The vulnerability impacts both server-side Node.js applications (RCE risk) and browser-based JavaScript (XSS risk) wherever untrusted JSON Path expressions are processed. Vendor advisories available at https://security.snyk.io/vuln/SNYK-JS-JSONPATH-13645034 and respective Red Hat/SUSE advisory URLs.
RemediationAI
Upgrade to jsonpath version 1.2.0 or later, which addresses the arbitrary code injection vulnerability through commits 9631412641b7095f86840a7a45b5b3afc68b0fcb and b61111f07ac1a8d0f3133b5fc51438ecb76a6c39. For systems using Red Hat products, apply RHSA-2026:6174, 6308, 6309, 6404, or 6802 as appropriate for your platform. SUSE users should apply SUSE-SU-2026:1008, 1013, 1035, or 1148. If immediate patching is not feasible, implement strict input validation: whitelist only alphanumeric characters, dots, and brackets in JSON Path expressions, and reject any input containing parentheses, JavaScript operators, or function calls - this prevents expression evaluation but may break legitimate complex query functionality. Alternatively, isolate jsonpath execution in a sandboxed environment with restricted permissions, though this adds operational complexity and potential performance overhead. For browser contexts, implement Content Security Policy with 'unsafe-eval' prohibited to limit XSS impact, though this does not prevent server-side RCE and may conflict with other application requirements. Most effective mitigation: never pass user-controlled input directly to jsonpath query methods; instead, expose only predefined, application-controlled query templates.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-94 – Code Injection
View allVendor StatusVendor
SUSE
Severity: Critical| Product | Status |
|---|---|
| Container suse/manager/4.3/proxy-httpd:4.3.17.9.76.1 | Affected |
| Container suse/manager/5.0/x86_64/server:latest | Affected |
| Image SLES15-SP5-SAP-Azure-LI-BYOS Image SLES15-SP5-SAP-Azure-LI-BYOS-Production Image SLES15-SP5-SAP-Azure-VLI-BYOS Image SLES15-SP5-SAP-Azure-VLI-BYOS-Production Image SLES15-SP7-SAP-Azure-LI-BYOS-Production Image SLES15-SP7-SAP-Azure-VLI-BYOS-Production | Affected |
| SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Basesystem 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Fixed |
| SUSE Linux Enterprise Server 16.0 SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Manager Client Tools 15 | Fixed |
| SUSE Manager Client Tools for SLE Micro 5 | Fixed |
| SUSE Manager Proxy LTS 4.3 | Fixed |
| SUSE Manager Retail Branch Server LTS 4.3 | Fixed |
| SUSE Manager Server LTS 4.3 | Fixed |
| SUSE Multi Linux Manager Tools Beta SLE-15 | Fixed |
| SUSE Multi Linux Manager Tools Beta SLE-Micro-5 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| openSUSE Leap 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Affected |
| SUSE Multi Linux Manager Tools SLE-15 | Affected |
| SUSE Multi Linux Manager Tools SLE-Micro-5 | Affected |
| SUSE Linux Enterprise Desktop 15 SP7 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Manager Client Tools 15 | Fixed |
| SUSE Manager Client Tools 15 | Fixed |
| SUSE Manager Client Tools 15 | Fixed |
| SUSE Manager Client Tools 15 | Fixed |
| SUSE Manager Client Tools 15 | Fixed |
| SUSE Manager Client Tools 15 | Fixed |
| SUSE Manager Client Tools 15 | Fixed |
| SUSE Manager Client Tools 15 | Fixed |
| SUSE Manager Client Tools 15 | Fixed |
| SUSE Manager Client Tools 15 | Fixed |
| SUSE Manager Client Tools for SLE 12 | Fixed |
| SUSE Manager Client Tools for SLE 15 | Fixed |
| SUSE Manager Client Tools for SLE Micro 5 | Fixed |
| SUSE Manager Client Tools for SLE Micro 5 | Fixed |
| SUSE Manager Client Tools for SLE Micro 5 | Fixed |
| SUSE Manager Client Tools for SLE Micro 5 | Fixed |
| SUSE Manager Client Tools for SLE Micro 5 | Fixed |
| SUSE Multi-Linux Manager Client Tools for SLE 12 | Fixed |
| SUSE Multi-Linux Manager Client Tools for SLE 15 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Manager Proxy LTS 4.3 | Fixed |
| SUSE Manager Proxy LTS 4.3 | Fixed |
| SUSE Manager Proxy LTS 4.3 | Fixed |
| SUSE Manager Proxy LTS 4.3 | Fixed |
| SUSE Manager Proxy LTS 4.3 | Fixed |
| SUSE Manager Proxy LTS 4.3 | Fixed |
| SUSE Manager Proxy LTS 4.3 | Fixed |
| SUSE Manager Proxy Module 4.3 | Fixed |
| SUSE Manager Retail Branch Server LTS 4.3 | Fixed |
| SUSE Manager Server LTS 4.3 | Fixed |
| SUSE Manager Server LTS 4.3 | Fixed |
| SUSE Manager Server LTS 4.3 | Fixed |
| SUSE Manager Server LTS 4.3 | Fixed |
| SUSE Enterprise Storage 6 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Fixed |
| SUSE Manager Proxy Module 4.1 | Fixed |
| SUSE Manager Proxy Module 4.2 | Fixed |
| openSUSE Leap 15.3 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
| SUSE Manager Tools 15 SP1 | Fixed |
| SUSE Multi Linux Manager Tools Beta SLE-15 | Fixed |
| SUSE Multi Linux Manager Tools Beta SLE-15 | Fixed |
| SUSE Multi Linux Manager Tools Beta SLE-15 | Fixed |
| SUSE Multi Linux Manager Tools Beta SLE-15 | Fixed |
| SUSE Multi Linux Manager Tools Beta SLE-15 | Fixed |
| SUSE Multi Linux Manager Tools Beta SLE-15 | Fixed |
| SUSE Multi Linux Manager Tools Beta SLE-15 | Fixed |
| SUSE Multi Linux Manager Tools Beta SLE-15 | Fixed |
| SUSE Multi Linux Manager Tools Beta SLE-15 | Fixed |
| SUSE Multi Linux Manager Tools Beta SLE-15 | Fixed |
| SUSE Multi Linux Manager Tools Beta SLE-15 | Fixed |
| SUSE Multi Linux Manager Tools Beta SLE-15 | Fixed |
| SUSE Multi Linux Manager Tools Beta SLE-15 | Fixed |
| SUSE Multi Linux Manager Tools Beta SLE-15 | Fixed |
| SUSE Multi Linux Manager Tools Beta SLE-15 | Fixed |
| SUSE Multi Linux Manager Tools Beta SLE-15 | Fixed |
| SUSE Multi Linux Manager Tools Beta SLE-15 | Fixed |
| SUSE Multi Linux Manager Tools Beta SLE-15 | Fixed |
| SUSE Multi Linux Manager Tools Beta SLE-15 | Fixed |
| SUSE Multi Linux Manager Tools Beta SLE-15 | Fixed |
| SUSE Multi Linux Manager Tools Beta SLE-15 | Fixed |
| SUSE Multi Linux Manager Tools Beta SLE-Micro-5 | Fixed |
| SUSE Multi Linux Manager Tools Beta SLE-Micro-5 | Fixed |
| SUSE Multi Linux Manager Tools Beta SLE-Micro-5 | Fixed |
| SUSE Multi Linux Manager Tools Beta SLE-Micro-5 | Fixed |
| SUSE Multi Linux Manager Tools Beta SLE-Micro-5 | Fixed |
| SUSE Multi Linux Manager Tools Beta SLE-Micro-5 | Fixed |
| SUSE Multi Linux Manager Tools SLE-15 | Fixed |
| SUSE Multi Linux Manager Tools SLE-15 | Fixed |
| SUSE Multi Linux Manager Tools SLE-15 | Fixed |
| SUSE Multi Linux Manager Tools SLE-15 | Fixed |
| SUSE Multi Linux Manager Tools SLE-15 | Fixed |
| SUSE Multi Linux Manager Tools SLE-15 | Fixed |
| SUSE Multi Linux Manager Tools SLE-Micro-5 | Fixed |
| SUSE Multi Linux Manager Tools SLE-Micro-5 | Fixed |
| SUSE Multi-Linux Manager Beta Client Tools for SLE 15 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-87r5-mp6g-5w5j