CVE-2026-54133

EPSS 0.32%
Veröffentlicht 12.06.2026 13:56:37
Zuletzt bearbeitet 15.06.2026 18:09:46
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

jmespath.php has CompilerRuntime code injection via unescaped function names

jmespath.php allows users to use JMESPath, software for declaratively specifying how to extract elements from a JSON document, in PHP applications with PHP data structures. Versions prior to 2.9.1 can generate and execute attacker-controlled PHP code when `JmesPath\CompilerRuntime` is used with an attacker-controlled JMESPath expression. The compiler emits parsed JMESPath function names into generated PHP source without sufficient escaping. A crafted expression can cause the generated cache file to contain executable attacker-controlled PHP, which is then loaded by the compiler runtime. The issue is patched in `2.9.1` and later. As a workaround, disable `JP_PHP_COMPILE` and do not use `JmesPath\CompilerRuntime` with attacker-controlled expressions. Use the default `AstRuntime` for untrusted expressions. Applications that must continue accepting untrusted JMESPath expressions before upgrading should ensure those expressions are never evaluated by the compiler runtime.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 3 Referenzen 4

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Jmespath ≫ Jmespath SwPlatformphp Version < 2.9.1

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.32%	0.235

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-116 Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://github.com/jmespath/jmespath.php/security/advisories/GHSA-pcw8-m77r-2528

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2026-54133

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-54133

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-54133

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-54133