LOW
storybookjs
CVE published 2026-05-20
CVE-2026-47099
CVE-2026-47099 is a DOM-based cross-site scripting issue in TeleJSON versions prior to 6.0.0. The problem is in the parse() flow used to recreate object prototypes: a malicious _constructor-name_ value can be passed into new Function() without sanitization, allowing attacker-controlled JavaScript to run when untrusted JSON is processed. The practical risk is highest in browser-facing applications that acc [truncated]