CVE-2026-1615 – Jsonpath Arbitrary Code Injection Vulnerability

CVE ID : CVE-2026-1615

Published : Feb. 9, 2026, 5 a.m. | 19 minutes ago

Description : All versions of the package jsonpath are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…