CVE-2026-47099

Name of the Vulnerable Software and Affected Versions TeleJSON versions prior to 6.0.0

Description An issue exists in the parse() function involving unsafe deserialization. When reconstructing object prototypes, a custom reviver passes the value of the constructor-name property directly to new Function() without sanitization. This allows an attacker to execute arbitrary JavaScript by delivering a crafted JSON payload, for example, through postMessage in cross-frame communication contexts.

Recommendations Update to version 6.0.0 or later.