{"id":"CVE-2026-1615","details":"Versions of the package jsonpath before 1.2.0 are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply.","aliases":["GHSA-87r5-mp6g-5w5j"],"modified":"2026-03-31T08:14:09.626836167Z","published":"2026-02-09T05:16:24.353Z","related":["SUSE-SU-2026:1008-1","SUSE-SU-2026:1013-1","SUSE-SU-2026:1035-1","SUSE-SU-2026:1148-1","SUSE-SU-2026:20574-1","openSUSE-SU-2026:20239-1"],"references":[{"type":"WEB","url":"https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-15141219"},{"type":"WEB","url":"https://security.snyk.io/vuln/SNYK-JS-JSONPATH-13645034"},{"type":"WEB","url":"https://github.com/dchester/jsonpath/blob/c1dd8ec74034fb0375233abb5fdbec51ac317b4b/lib/handlers.js%23L243"},{"type":"FIX","url":"https://github.com/dchester/jsonpath/commit/9631412641b7095f86840a7a45b5b3afc68b0fcb"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/dchester/jsonpath","events":[{"introduced":"0"},{"fixed":"0170daa821e834d2b72a0ee661e2f5e8068357b3"},{"fixed":"9631412641b7095f86840a7a45b5b3afc68b0fcb"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.2.0"}]}}],"versions":["0.1.0","0.1.1","0.1.2","0.1.3","0.1.4","0.1.5","0.1.6","0.1.7","0.1.8","0.2.0","0.2.1","0.2.10","0.2.11","0.2.2","0.2.3","0.2.4","0.2.5","0.2.6","0.2.7","0.2.8","0.2.9","1.0.0","1.0.2","1.1.0","1.1.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-1615.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"}]}