CVE-2026-1615: Arbitrary Code Injection in jsonpath
Versions of the package jsonpath before 1.3.0 are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply.
AI Analysis
Technical Summary
CVE-2026-1615 affects the jsonpath package prior to version 1.3.0, allowing arbitrary code injection via unsafe evaluation of user-supplied JSON Path expressions. The vulnerability stems from reliance on the static-eval module, which is not designed to safely process untrusted data. Attackers can exploit this by crafting malicious JSON Path expressions that execute arbitrary JavaScript code, resulting in remote code execution in Node.js environments or cross-site scripting in browser contexts. All evaluation methods of jsonpath are impacted. Red Hat has published multiple advisories addressing this issue, indicating vendor awareness and remediation efforts.
Potential Impact
Successful exploitation can lead to remote code execution on Node.js platforms or cross-site scripting in browsers, allowing attackers to execute arbitrary JavaScript code. This poses a critical security risk, potentially compromising system integrity and confidentiality. The vulnerability affects all jsonpath methods that evaluate JSON Path expressions, increasing the attack surface.
Mitigation Recommendations
Red Hat has published security advisories related to this vulnerability, indicating that fixes or updates are available through their errata channels. Users should consult the Red Hat advisories (https://access.redhat.com/security/cve/CVE-2026-1615 and related errata) for official patching instructions and apply updates accordingly. Since no explicit patch version is stated in the input, verify the vendor advisories for the exact fixed versions and apply them promptly. There is no indication that the vulnerability is already mitigated or requires no action.
CVE-2026-1615: Arbitrary Code Injection in jsonpath
Description
Versions of the package jsonpath before 1.3.0 are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply.
CVSS v4.0
Score 9.2critical
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-1615 affects the jsonpath package prior to version 1.3.0, allowing arbitrary code injection via unsafe evaluation of user-supplied JSON Path expressions. The vulnerability stems from reliance on the static-eval module, which is not designed to safely process untrusted data. Attackers can exploit this by crafting malicious JSON Path expressions that execute arbitrary JavaScript code, resulting in remote code execution in Node.js environments or cross-site scripting in browser contexts. All evaluation methods of jsonpath are impacted. Red Hat has published multiple advisories addressing this issue, indicating vendor awareness and remediation efforts.
Potential Impact
Successful exploitation can lead to remote code execution on Node.js platforms or cross-site scripting in browsers, allowing attackers to execute arbitrary JavaScript code. This poses a critical security risk, potentially compromising system integrity and confidentiality. The vulnerability affects all jsonpath methods that evaluate JSON Path expressions, increasing the attack surface.
Mitigation Recommendations
Red Hat has published security advisories related to this vulnerability, indicating that fixes or updates are available through their errata channels. Users should consult the Red Hat advisories (https://access.redhat.com/security/cve/CVE-2026-1615 and related errata) for official patching instructions and apply updates accordingly. Since no explicit patch version is stated in the input, verify the vendor advisories for the exact fixed versions and apply them promptly. There is no indication that the vulnerability is already mitigated or requires no action.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- snyk
- Date Reserved
- 2026-01-29T13:07:32.703Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/security/cve/CVE-2026-1615","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2026:6308","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2026:6309","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2026:6802","vendor":"Red Hat"}]
Threat ID: 69896dc24b57a58fa125bde1
Added to database: 02/09/2026, 05:16:50 UTC
Last enriched: 07/08/2026, 11:40:56 UTC
Last updated: 07/10/2026, 21:40:26 UTC
Views: 1071
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.