CRITICAL
jmespath
CVE published 2026-06-12
CVE-2026-54133
A critical vulnerability, CVE-2026-54133, was discovered in jmespath.php, a PHP library for declaratively specifying how to extract elements from a JSON document. The vulnerability has a CVSS score of 9.8 and can allow attackers to execute arbitrary PHP code. The issue arises when using `JmesPathCompilerRuntime` with an attacker-controlled JMESPath expression, which can generate and execute malicious PHP [truncated]