PatchSiren cyber security CVE debrief
CVE-2026-47099 storybookjs CVE debrief
CVE-2026-47099 is a DOM-based cross-site scripting issue in TeleJSON versions prior to 6.0.0. The problem is in the parse() flow used to recreate object prototypes: a malicious _constructor-name_ value can be passed into new Function() without sanitization, allowing attacker-controlled JavaScript to run when untrusted JSON is processed. The practical risk is highest in browser-facing applications that accept TeleJSON input from untrusted sources, including cross-frame or postMessage-driven flows.
- Vendor
- storybookjs
- Product
- telejson
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-21
Who should care
Teams that use TeleJSON in web applications, especially if parse() processes data from browsers, iframes, widgets, extensions, or any other untrusted JSON source. Front-end, platform, and application security teams should review any code paths that deserialize TeleJSON data on the client side.
Technical summary
According to the source description and NVD metadata, TeleJSON prior to 6.0.0 contains a DOM-based XSS vulnerability in parse(). A crafted JSON payload with a malicious _constructor-name_ property can influence the custom reviver logic, which passes the constructor name directly to new Function() when rebuilding prototypes. NVD lists the weakness as CWE-79. The published CVSS vector indicates network-reachable impact with required user interaction in a browser context, and the overall severity is low (CVSS 2.1), but the issue still enables script execution in affected application contexts.
Defensive priority
Low overall by CVSS, but worth prompt review in any browser-exposed TeleJSON usage because the flaw can lead to script execution when untrusted data is parsed.
Recommended defensive actions
- Upgrade TeleJSON to 6.0.0 or later, or move to a patched release if one is available in your dependency channel.
- Audit all uses of TeleJSON parse() and identify any paths that accept data from untrusted sources, especially postMessage, iframe, widget, and cross-origin integration flows.
- Treat any client-side deserialization of TeleJSON as untrusted input and add allowlisting or schema validation before prototype reconstruction.
- Search for custom wrappers or forks that replicate the same reviver logic and remove any use of new Function() on attacker-influenced values.
- If immediate upgrade is not possible, disable or isolate the affected parsing path until a fixed version can be deployed.
- Review browser-side hardening controls such as CSP and trusted data boundaries, but do not rely on them as the primary fix for this parsing flaw.
Evidence notes
CVE-2026-47099 was published and modified on 2026-05-20T20:16:41.063Z, and the supplied source item is the NVD modified feed entry with status 'Received'. The source corpus describes TeleJSON prior to 6.0.0 as vulnerable to DOM-based XSS in parse(), with a crafted _constructor-name_ value reaching new Function() without sanitization. NVD metadata attributes the weakness to CWE-79 and includes references to the GitHub security advisory and the Vulncheck advisory.
Official resources
Publicly disclosed through the CVE/NVD record on 2026-05-20, with reference links to a GitHub security advisory and a Vulncheck advisory in the supplied source corpus.