The vulnerability CVE-2026-1615 affects the jsonpath package, a widely used JavaScript library for querying JSON data structures. Versions prior to 1.2.0 rely on the static-eval module to evaluate JSON Path expressions. static-eval is not designed to safely handle untrusted input, leading to an unsafe evaluation context. An attacker can craft malicious JSON Path expressions that, when processed by jsonpath methods such as .query, .nodes, .paths, .value, .parent, or .apply, result in arbitrary JavaScript code execution. This can lead to remote code execution (RCE) in server-side Node.js environments, allowing attackers to run arbitrary commands or manipulate server processes. In browser contexts, this vulnerability can be exploited for cross-site scripting (XSS), enabling attackers to execute malicious scripts in the victim's browser, potentially stealing cookies, session tokens, or performing actions on behalf of the user. The vulnerability requires no authentication or user interaction and can be triggered remotely over the network, making it highly exploitable. The CVSS 4.0 score of 9.2 reflects the critical nature of this flaw, with high impact on confidentiality, integrity, and availability. No patches or exploits are currently documented in the provided data, but the risk is significant given the widespread use of jsonpath in JavaScript applications.

The impact of CVE-2026-1615 is severe for organizations using vulnerable versions of jsonpath. In server environments running Node.js, exploitation can lead to full remote code execution, allowing attackers to take control of affected systems, exfiltrate sensitive data, deploy malware, or pivot within internal networks. In client-side applications, the vulnerability can facilitate cross-site scripting attacks, compromising user data, session integrity, and enabling phishing or drive-by download attacks. The broad usage of jsonpath in web applications, APIs, and backend services means that many organizations could be exposed. The vulnerability can disrupt service availability, compromise data confidentiality and integrity, and damage organizational reputation. Given the ease of exploitation and lack of required privileges or user interaction, the threat is immediate and critical.

To mitigate CVE-2026-1615, organizations should immediately upgrade jsonpath to version 1.2.0 or later, where the unsafe evaluation of JSON Path expressions has been addressed. If upgrading is not immediately possible, implement strict input validation and sanitization on all JSON Path inputs to ensure only trusted or sanitized expressions are processed. Employ runtime application self-protection (RASP) or web application firewalls (WAFs) with custom rules to detect and block suspicious JSON Path payloads. Conduct thorough code reviews to identify any direct use of jsonpath methods that evaluate JSON Paths and isolate or sandbox these calls. Monitor application logs for unusual JSON Path expressions or execution patterns indicative of exploitation attempts. Additionally, apply the principle of least privilege to Node.js processes to limit the impact of potential code execution. Finally, educate developers about the risks of unsafe evaluation and encourage use of safer alternatives or libraries that do not rely on static-eval for expression evaluation.