Jmespath Php
Monthly
Remote code execution in jmespath.php versions prior to 2.9.1 allows attackers controlling JMESPath expressions to inject arbitrary PHP into compiler-generated cache files, which are then loaded and executed by JmesPath\CompilerRuntime. The flaw stems from insufficient escaping of parsed function names when the compiler emits PHP source, enabling code execution whenever an application evaluates untrusted expressions through the compiler runtime. No public exploit identified at time of analysis, but the CVSS 9.8 rating reflects unauthenticated network-reachable RCE in any web app that pipes user input into the compiler.
Remote code execution in jmespath.php versions prior to 2.9.1 allows attackers controlling JMESPath expressions to inject arbitrary PHP into compiler-generated cache files, which are then loaded and executed by JmesPath\CompilerRuntime. The flaw stems from insufficient escaping of parsed function names when the compiler emits PHP source, enabling code execution whenever an application evaluates untrusted expressions through the compiler runtime. No public exploit identified at time of analysis, but the CVSS 9.8 rating reflects unauthenticated network-reachable RCE in any web app that pipes user input into the compiler.