PatchSiren cyber security CVE debrief
CVE-2026-54133 jmespath CVE debrief
A critical vulnerability, CVE-2026-54133, was discovered in jmespath.php, a PHP library for declaratively specifying how to extract elements from a JSON document. The vulnerability has a CVSS score of 9.8 and can allow attackers to execute arbitrary PHP code. The issue arises when using `JmesPathCompilerRuntime` with an attacker-controlled JMESPath expression, which can generate and execute malicious PHP code. The vulnerability is patched in version 2.9.1 and later.
- Vendor
- jmespath
- Product
- jmespath.php
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Developers and administrators using jmespath.php in their applications should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability occurs when `JmesPathCompilerRuntime` is used with an attacker-controlled JMESPath expression. The compiler emits parsed JMESPath function names into generated PHP source without sufficient escaping, allowing attackers to inject malicious PHP code. The issue can be mitigated by disabling `JP_PHP_COMPILE` and using the default `AstRuntime` for untrusted expressions.
Defensive priority
High
Recommended defensive actions
- Upgrade to version 2.9.1 or later of jmespath.php
- Disable `JP_PHP_COMPILE` and use the default `AstRuntime` for untrusted expressions
- Avoid using `JmesPathCompilerRuntime` with attacker-controlled expressions
Evidence notes
The vulnerability is patched in version 2.9.1 and later. As a workaround, disable `JP_PHP_COMPILE` and do not use `JmesPathCompilerRuntime` with attacker-controlled expressions.
Official resources
-
CVE-2026-54133 CVE record
CVE.org
-
CVE-2026-54133 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-54133 was published on 2026-06-12T15:16:31.890Z and modified on 2026-06-12T16:16:34.143Z.