CVE-2026-1615
Summary
| CVE | CVE-2026-1615 |
|---|---|
| State | PUBLISHED |
| Assigner | snyk |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-02-09 05:16:24 UTC |
| Updated | 2026-06-30 03:17:18 UTC |
| Description | Versions of the package jsonpath before 1.3.0 are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply. |
Risk And Classification
Primary CVSS: v4.0 8.2 HIGH from [email protected]
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.010490000 probability, percentile 0.600220000 (date 2026-07-01)
Problem Types: CWE-94 | CWE-94 Arbitrary Code Injection | CWE-94 Improper Control of Generation of Code ('Code Injection')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 8.2 | HIGH | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/C... |
| 4.0 | CNA | DECLARED | 9.2 | CRITICAL | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P |
| 3.1 | ADP | CVSS | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | [email protected] | Secondary | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | CNA | DECLARED | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P |
CVSS v4.0 Breakdown
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Na | Jsonpath | affected 1.3.0 semver | Not specified |
| CNA | Na | Org.webjars.npmjsonpath | affected * semver | Not specified |
| ADP | Red Hat | Red Hat Ansible Automation Platform 2.5 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Ansible Automation Platform 2.6 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Developer Hub 1.9 | Not specified | Not specified |
| ADP | Red Hat | Migration Toolkit For Virtualization | Not specified | Not specified |
| ADP | Red Hat | OpenShift Pipelines | Not specified | Not specified |
| ADP | Red Hat | Red Hat Ansible Automation Platform 2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AI RHEL AI 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Fuse 7 | Not specified | Not specified |
| ADP | Red Hat | Self-service Automation Portal 2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat Quay 3 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| security.snyk.io/vuln/SNYK-JS-JSONPATH-13645034 | [email protected] | security.snyk.io | |
| access.redhat.com/security/cve/CVE-2026-1615 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| github.com/dchester/jsonpath/commit/b61111f07ac1a8d0f3133b5fc51438ecb76a... | [email protected] | github.com | |
| access.redhat.com/errata/RHSA-2026:6802 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-15141219 | [email protected] | security.snyk.io | |
| access.redhat.com/errata/RHSA-2026:6308 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:6309 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-1615.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| github.com/dchester/jsonpath/blob/c1dd8ec74034fb0375233abb5fdbec51ac317b... | [email protected] | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Nick Copi (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-02-09T11:10:57.572Z | Reported to Red Hat. |
| ADP | 2026-02-09T05:00:09.050Z | Made public. |
Solutions
ADP: RHSA-2026:6308: Red Hat Ansible Automation Platform 2.5
ADP: RHSA-2026:6309: Red Hat Ansible Automation Platform 2.6
ADP: RHSA-2026:6802: Red Hat Developer Hub 1.9
Workarounds
ADP: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.