CVE-2026-1615

Name of the Vulnerable Software and Affected Versions jsonpath (affected versions not specified)

Description The package jsonpath is susceptible to Arbitrary Code Injection due to unsafe evaluation of user-supplied JSON Path expressions. The library utilizes the static-eval module to process JSON Path input, which is not designed for untrusted data. An attacker can supply a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, potentially leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This impacts all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.