What is the CVSS score of CVE-2026-54133?

CVE-2026-54133 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of jmespath.php are affected by CVE-2026-54133?

jmespath.php versions prior to 2.9.1 contain a critical unauthenticated remote code execution vulnerability that allows attackers to execute arbitrary PHP code through malicious JMESPath expressions.. A patch is available.

How to fix or mitigate CVE-2026-54133?

24 hours: Conduct inventory of all systems running jmespath.php <2.9.1; take affected applications offline or network-isolate them from production. 7 days: Implement compensating controls-strict input validation (allowlist-only JMESPath syntax), disable dynamic compilation where feasible, and deploy WAF rules blocking injection patterns. 30 days: Establish automated scanning and patch management process; upgrade to jmespath.php 2.9.1 when released and verified.

jmespath.php CVE-2026-54133

EUVD-2026-36431 CRITICAL

Improper Input Validation (CWE-20)

2026-06-12 GitHub_M

PHP Information Disclosure Jmespath Php

9.8

CVSS 3.1 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

vuln.today AI

8.1 HIGH

Network-reachable RCE with no auth or UI, but exploitation depends on the app using CompilerRuntime with untrusted expressions, so AC:H rather than AC:L.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch available

Jun 12, 2026 - 16:01 EUVD

Analysis Generated

Jun 12, 2026 - 14:51 vuln.today

DescriptionCVE.org

jmespath.php allows users to use JMESPath, software for declaratively specifying how to extract elements from a JSON document, in PHP applications with PHP data structures. Versions prior to 2.9.1 can generate and execute attacker-controlled PHP code when JmesPath\CompilerRuntime is used with an attacker-controlled JMESPath expression. The compiler emits parsed JMESPath function names into generated PHP source without sufficient escaping. A crafted expression can cause the generated cache file to contain executable attacker-controlled PHP, which is then loaded by the compiler runtime. The issue is patched in 2.9.1 and later. As a workaround, disable JP_PHP_COMPILE and do not use JmesPath\CompilerRuntime with attacker-controlled expressions. Use the default AstRuntime for untrusted expressions. Applications that must continue accepting untrusted JMESPath expressions before upgrading should ensure those expressions are never evaluated by the compiler runtime.

Articles & Coverage 2

News 3 New PHP Vulnerabilities - 2 Critical, 1 High Severity Jun 13, 2026 News Critical RCE in PHP jmespath.php before 2.9.1 - CVE-2026-54133 Jun 12, 2026

AnalysisAI

Remote code execution in jmespath.php versions prior to 2.9.1 allows attackers controlling JMESPath expressions to inject arbitrary PHP into compiler-generated cache files, which are then loaded and executed by JmesPath\CompilerRuntime. The flaw stems from insufficient escaping of parsed function names when the compiler emits PHP source, enabling code execution whenever an application evaluates untrusted expressions through the compiler runtime. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Identify endpoint accepting JMESPath expression

Delivery

Confirm CompilerRuntime backend in use

Exploit

Send crafted expression with malicious function-name token

Install

Compiler emits poisoned PHP cache file

Runtime includes generated file

Execute

Arbitrary PHP executes as web user

Impact

Establish foothold on host

Recon

Identify endpoint accepting JMESPath expression

Delivery

Confirm CompilerRuntime backend in use

Exploit

Send crafted expression with malicious function-name token

Install

Compiler emits poisoned PHP cache file

Runtime includes generated file

Execute

Arbitrary PHP executes as web user

Impact

Establish foothold on host

Vulnerability AssessmentAI

Exploitation	Exploitation requires the target PHP application to (1) instantiate JmesPath\CompilerRuntime - or have JP_PHP_COMPILE enabled so the facade selects the compiler - rather than the default AstRuntime, (2) pass an attacker-controlled JMESPath expression string into that runtime's compile/search call, and (3) run jmespath/jmespath.php at a version below 2.9.1 with a writable compiler cache directory the PHP process can later include. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H scores 9.8 and is technically defensible for any web application that forwards user-supplied expressions to CompilerRuntime, since exploitation then becomes a single crafted HTTP parameter. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A web application exposes a search or reporting endpoint that accepts a JMESPath expression from the client and evaluates it server-side through JmesPath\CompilerRuntime for performance. An unauthenticated attacker submits an expression whose function-name token is crafted to break out of the generated PHP literal and append arbitrary statements (for example, a system() call), the compiler writes the malicious file to the cache directory and immediately includes it, and the attacker's payload runs under the PHP-FPM/web-server user, yielding full RCE.
Remediation	Vendor-released patch: upgrade jmespath/jmespath.php to 2.9.1 or later via Composer (composer require jmespath/jmespath.php:^2.9.1) and clear any previously generated compiler cache files on disk, since poisoned cache entries written before the upgrade would still execute on include. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Conduct inventory of all systems running jmespath.php <2.9.1; take affected applications offline or network-isolate them from production. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48030 CRITICAL Act Now

9.9 Jun 09

Authenticated remote code execution in Pheditor 2.0.1-2.0.3 lets any logged-in user with the default terminal permission

CVE-2026-52778 CRITICAL Act Now

9.8 Jun 08

Remote code execution in YesWiki prior to 4.6.6 allows unauthenticated attackers to inject arbitrary PHP via the Bazar C

CVE-2026-45060 CRITICAL Act Now

9.8 Jun 11

Unauthenticated blind SQL injection in ClipBucket v5 prior to version 5.5.3 - #129 allows remote attackers to exfiltrate

CVE-2026-38615 CRITICAL Act Now

9.8 Jun 09

DedeCMS V5.7.118 is vulnerable to Command Execution in file_manage_control.php.

CVE-2026-38581 CRITICAL Act Now

9.8 Jun 11

SQL Injection vulnerability in damasac thaipalliative_lte through version 3.0 allows remote attackers to execute arbitra

CVE-2026-54133 vulnerability details – vuln.today

Back

jmespath.php CVE-2026-54133

Severity by source

CVSS VectorVendor: GitHub_M

Lifecycle Timeline

DescriptionCVE.org

Articles & Coverage 2

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code