GCVE - cpe:2.3:a:n/a:org.webjars.npm:jsonpath:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:n/a:org.webjars.npm:jsonpath:*:*:*:*:*:*:*:*

part: a version: jsonpath update: *

Vendor	N/A (`22f567d3-1203-528c-8f0e-3eb9c2f6ca78`)
Product	Org.Webjars.Npm (`1bfc0018-a693-5863-8d2a-88aebae96d1d`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2026-1615`	vulnerable	2026-06-08 07:49:09.035917	Details available CRITICAL (9.8) Versions of the package jsonpath before 1.3.0 are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply. Published: 2026-02-09T05:00:09.050Z Updated: 2026-04-07T13:08:50.705Z Open on db.gcve.eu Reference links https://security.snyk.io/vuln/SNYK-JS-JSONPATH-13645034 https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-15141219 https://github.com/dchester/jsonpath/blob/c1dd8ec74034fb0375233abb5fdbec51ac317b4b/lib/handlers.js%23L243 https://github.com/dchester/jsonpath/commit/b61111f07ac1a8d0f3133b5fc51438ecb76a6c39	Imported from gcve-enriched-dumps CVE data

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.