Skip to main content

Telejson

1 CVEs product

Monthly

CVE-2026-47099 npm LOW PATCH Monitor

DOM-based cross-site scripting in telejson versions prior to 6.0.0 allows unauthenticated remote attackers to execute arbitrary JavaScript by supplying a crafted JSON payload to the parse() function, specifically via a malicious _constructor-name_ property that is injected unsanitized into a new Function() call during prototype reconstruction. All applications using telejson < 6.0.0 that pass externally-sourced JSON - particularly those using postMessage for cross-frame communication - to telejson.parse() are affected. No public exploit has been identified at time of analysis, though the GHSA advisory (GHSA-ccgf-5rwj-j3hv) publishes both vulnerable and patched source code at named release tags, substantially lowering the barrier to exploitation. Vendor-released patch is available as telejson 6.0.0.

XSS Telejson
NVD GitHub
CVSS 4.0
2.1
EPSS
0.0%
EPSS 0% CVSS 2.1
LOW PATCH Monitor

DOM-based cross-site scripting in telejson versions prior to 6.0.0 allows unauthenticated remote attackers to execute arbitrary JavaScript by supplying a crafted JSON payload to the parse() function, specifically via a malicious _constructor-name_ property that is injected unsanitized into a new Function() call during prototype reconstruction. All applications using telejson < 6.0.0 that pass externally-sourced JSON - particularly those using postMessage for cross-frame communication - to telejson.parse() are affected. No public exploit has been identified at time of analysis, though the GHSA advisory (GHSA-ccgf-5rwj-j3hv) publishes both vulnerable and patched source code at named release tags, substantially lowering the barrier to exploitation. Vendor-released patch is available as telejson 6.0.0.

XSS Telejson
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy