Cyber Posture

CVE-2026-1615

Critical

Published: 09 February 2026

Published
09 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0011 28.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Versions of the package jsonpath before 1.3.0 are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted…

more

data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates CVE-2026-1615 by requiring identification, reporting, and timely correction of the flaw in jsonpath versions before 1.3.0 via patching or upgrading.

SI-10 Information Input Validation good match
prevent

Prevents arbitrary code injection by enforcing validation of user-supplied JSON Path expressions to block malicious patterns before evaluation by the vulnerable static-eval module.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

Detects the presence of vulnerable jsonpath package versions through vulnerability scanning of software components and dependencies.

Security SummaryAI

CVE-2026-1615 is an arbitrary code injection vulnerability in versions of the jsonpath npm package before 1.3.0. The flaw arises from the library's reliance on the static-eval module to process user-supplied JSON Path expressions, which is not designed to handle untrusted data safely. When evaluated, these expressions can execute arbitrary JavaScript code. The vulnerability, tagged under CWE-94, carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply.

Attackers can exploit this remotely by supplying a malicious JSON Path expression without requiring authentication, privileges, or user interaction. In Node.js environments, successful exploitation leads to remote code execution. In browser contexts, it results in cross-site scripting (XSS).

Advisories recommend upgrading to jsonpath version 1.3.0 or later, which patches the issue via commit https://github.com/dchester/jsonpath/commit/b61111f07ac1a8d0f3133b5fc51438ecb76a6c39. The vulnerable code appears in handlers.js at line 243: https://github.com/dchester/jsonpath/blob/c1dd8ec74034fb0375233abb5fdbec51ac317b4b/lib/handlers.js#L243. Further details are in Snyk advisories: https://security.snyk.io/vuln/SNYK-JS-JSONPATH-13645034 and https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-15141219.

Details

CWE(s)
CWE-94

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
Why these techniques?

CVE enables unauthenticated RCE via arbitrary JavaScript code injection in Node.js environments (T1190: Exploit Public-Facing Application) and facilitates JavaScript interpreter execution (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References