CVE-2026-1615 is a critical arbitrary code injection vulnerability affecting all versions of the jsonpath package, a widely used JavaScript library for querying JSON data structures. The root cause lies in the reliance on the static-eval module to evaluate JSON Path expressions. static-eval is not designed to securely handle untrusted input, allowing attackers to craft malicious JSON Path expressions that execute arbitrary JavaScript code during evaluation. This leads to remote code execution (RCE) in Node.js environments where jsonpath is used server-side, and cross-site scripting (XSS) in browser environments where jsonpath is used client-side. The vulnerability impacts all jsonpath methods that evaluate JSON Paths, including .query, .nodes, .paths, .value, .parent, and .apply. Exploitation requires no authentication or user interaction, making it highly accessible to attackers who can supply malicious JSON Path input. The CVSS 4.0 score of 9.2 reflects the vulnerability's critical nature, with network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits are currently known, the vulnerability poses a significant threat to applications that process untrusted JSON Path expressions, especially in environments where jsonpath is embedded in web services or client-side code. The lack of available patches at the time of disclosure necessitates immediate risk mitigation by users of the library.

For European organizations, the impact of CVE-2026-1615 can be severe. Organizations using jsonpath in backend Node.js services risk remote code execution, potentially allowing attackers to take full control of affected servers, exfiltrate sensitive data, or disrupt service availability. In client-side applications, exploitation can lead to cross-site scripting attacks, enabling attackers to steal user credentials, session tokens, or perform actions on behalf of users. This vulnerability threatens confidentiality, integrity, and availability of data and systems. Industries such as finance, healthcare, government, and critical infrastructure, which often handle sensitive personal and operational data, are particularly at risk. The ease of exploitation and lack of required privileges mean that attackers can rapidly leverage this vulnerability in automated attacks or targeted campaigns. The absence of known exploits currently provides a window for proactive defense, but the critical severity demands urgent attention to prevent potential widespread exploitation. Failure to address this vulnerability could lead to regulatory non-compliance under GDPR due to data breaches and operational disruptions.

European organizations should immediately audit their software dependencies to identify usage of the jsonpath package. Since no official patches are currently available, organizations should consider the following mitigations: 1) Avoid processing untrusted JSON Path expressions; implement strict input validation and sanitization to reject or neutralize malicious input. 2) Where feasible, replace jsonpath with alternative libraries that do not rely on unsafe evaluation or have been audited for secure handling of untrusted input. 3) Employ runtime application self-protection (RASP) or web application firewalls (WAFs) configured to detect and block suspicious JSON Path payloads or anomalous JavaScript execution patterns. 4) Isolate services using jsonpath in sandboxed environments with minimal privileges to limit potential damage from exploitation. 5) Monitor logs and network traffic for unusual activity indicative of exploitation attempts. 6) Stay updated with vendor advisories and apply patches immediately upon release. 7) Conduct security code reviews and penetration testing focused on JSON Path usage to identify and remediate vulnerabilities proactively.