Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…
EPSS 1.0%top 40%

CVE-2026-1615: Arbitrary Code Injection in jsonpath

0
Critical
VulnerabilityCVE-2026-1615cvecve-2026-1615
Published: 02/09/2026 (02/09/2026, 05:00:09 UTC)
Source: CVE Database V5
Product: jsonpath

Description

Versions of the package jsonpath before 1.3.0 are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply.

CVSS v4.0

Score 9.2critical

Attack Vector
Network
Attack Complexity
Low
Attack Requirements
Present
Privileges Required
None
User Interaction
None
Vuln. Confidentiality
High
Vuln. Integrity
High
Vuln. Availability
High
Subsq. Confidentiality
None
Subsq. Integrity
None
Subsq. Availability
None
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Affected software

Affected versions
=0<1.3.0

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/08/2026, 11:40:56 UTC

Technical Analysis

CVE-2026-1615 affects the jsonpath package prior to version 1.3.0, allowing arbitrary code injection via unsafe evaluation of user-supplied JSON Path expressions. The vulnerability stems from reliance on the static-eval module, which is not designed to safely process untrusted data. Attackers can exploit this by crafting malicious JSON Path expressions that execute arbitrary JavaScript code, resulting in remote code execution in Node.js environments or cross-site scripting in browser contexts. All evaluation methods of jsonpath are impacted. Red Hat has published multiple advisories addressing this issue, indicating vendor awareness and remediation efforts.

Potential Impact

Successful exploitation can lead to remote code execution on Node.js platforms or cross-site scripting in browsers, allowing attackers to execute arbitrary JavaScript code. This poses a critical security risk, potentially compromising system integrity and confidentiality. The vulnerability affects all jsonpath methods that evaluate JSON Path expressions, increasing the attack surface.

Mitigation Recommendations

Red Hat has published security advisories related to this vulnerability, indicating that fixes or updates are available through their errata channels. Users should consult the Red Hat advisories (https://access.redhat.com/security/cve/CVE-2026-1615 and related errata) for official patching instructions and apply updates accordingly. Since no explicit patch version is stated in the input, verify the vendor advisories for the exact fixed versions and apply them promptly. There is no indication that the vulnerability is already mitigated or requires no action.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.2
Assigner Short Name
snyk
Date Reserved
2026-01-29T13:07:32.703Z
Cvss Version
4.0
State
PUBLISHED
Vendor Advisory Urls
[{"url":"https://access.redhat.com/security/cve/CVE-2026-1615","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2026:6308","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2026:6309","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2026:6802","vendor":"Red Hat"}]

Threat ID: 69896dc24b57a58fa125bde1

Added to database: 02/09/2026, 05:16:50 UTC

Last enriched: 07/08/2026, 11:40:56 UTC

Last updated: 07/10/2026, 21:40:26 UTC

Views: 1071

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses