PatchSiren cyber security CVE debrief
CVE-2026-1615 jsonpath CVE debrief
CVE-2026-1615 is a high-severity vulnerability in the jsonpath package, affecting versions before 1.3.0. The vulnerability allows for arbitrary code injection via unsafe evaluation of user-supplied JSON Path expressions. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply. The vulnerability has a CVSS score of 8.2 and is considered high severity.
- Vendor
- jsonpath
- Product
- jsonpath
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-09
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-02-09
- Advisory updated
- 2026-06-30
Who should care
Developers and administrators using the jsonpath package in Node.js environments or browser contexts should be aware of this vulnerability. They should assess their exposure and take steps to mitigate the risk, especially if they are using versions before 1.3.0.
Technical summary
The jsonpath package relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code. This leads to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. The vulnerability affects all methods that evaluate JSON Paths against objects.
Defensive priority
High priority should be given to updating the jsonpath package to version 1.3.0 or later. Developers should also review their code to ensure that user-supplied JSON Path expressions are properly sanitized and validated.
Recommended defensive actions
- Update the jsonpath package to version 1.3.0 or later.
- Review code to ensure user-supplied JSON Path expressions are properly sanitized and validated.
- Implement additional security measures, such as input validation and output encoding, to prevent exploitation.
- Monitor for suspicious activity and implement logging and auditing to detect potential attacks.
- Consider using alternative JSON Path libraries that are designed to handle untrusted data safely.
Evidence notes
The CVE record and NVD detail provide information on the vulnerability, including its CVSS score and affected versions. The source item URL provides additional information on the vulnerability, including references to the static-eval module and the affected methods.
Official resources
-
CVE-2026-1615 CVE record
CVE.org
-
CVE-2026-1615 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
- Source reference
- Source reference
- Source reference
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.