CVE Catalog

CVE-2026-47099

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.36%

28th percentile - higher than 28% of all known CVEs

Summary

TeleJSON prior to version 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse() function. Attackers can deliver a crafted JSON payload with a malicious _constructor-name_ property value that is passed directly to new Function() without sanitization, allowing arbitrary JavaScript execution.

Risk Assessment

The risk involves potential compromise of the application by an attacker who can execute arbitrary scripts in the victim's context, e.g., via postMessage in cross-frame communication, leading to data theft, session hijacking, or further attack escalation.

Recommendation

Immediately update TeleJSON to version 6.0.0 or later, which includes a fix for this vulnerability. If an update is not possible, restrict the use of the parse() function with untrusted data and apply additional input validation.

Original NVD description (English source)

TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse() function that allows attackers to execute arbitrary JavaScript by delivering a crafted JSON payload containing a malicious _constructor-name_ property value. The custom reviver passes the constructor name directly to new Function() without sanitization when recreating object prototypes, enabling attackers to inject arbitrary JavaScript through vectors such as postMessage in cross-frame communication contexts to achieve script execution within the application.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS