PatchSiren cyber security CVE debrief
CVE-2026-12208 jsonata-js CVE debrief
A weakness has been identified in jsonata-js jsonata up to 2.2.0. The affected element is the function createFrame of the file src/jsonata.js of the component Function Binding Frame System. This manipulation causes improperly controlled modification of object prototype attributes. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
- Vendor
- jsonata-js
- Product
- jsonata
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of jsonata-js jsonata up to 2.2.0 should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by a weakness in the createFrame function of the src/jsonata.js file in the Function Binding Frame System component of jsonata-js jsonata up to 2.2.0. This weakness allows for improperly controlled modification of object prototype attributes.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to a version of jsonata-js jsonata that is not vulnerable.
Evidence notes
The CVE record was obtained from the official CVE website [cve-org]. Additional information was obtained from the National Vulnerability Database [nvd].
Official resources
CVE-2026-12208 was published on 2026-06-15T03:16:23.993Z and has a CVSS score of 5.5.