CVE-2026-54133

June 12, 2026, 4:16 p.m.

9.8
Critical

Description

jmespath.php allows users to use JMESPath, software for declaratively specifying how to extract elements from a JSON document, in PHP applications with PHP data structures. Versions prior to 2.9.1 can generate and execute attacker-controlled PHP code when `JmesPath\CompilerRuntime` is used with an attacker-controlled JMESPath expression. The compiler emits parsed JMESPath function names into generated PHP source without sufficient escaping. A crafted expression can cause the generated cache file to contain executable attacker-controlled PHP, which is then loaded by the compiler runtime. The issue is patched in `2.9.1` and later. As a workaround, disable `JP_PHP_COMPILE` and do not use `JmesPath\CompilerRuntime` with attacker-controlled expressions. Use the default `AstRuntime` for untrusted expressions. Applications that must continue accepting untrusted JMESPath expressions before upgrading should ensure those expressions are never evaluated by the compiler runtime.

Product(s) Impacted

Vendor Product Versions
Jmespath
  • Jmespath
  • 2.9.0, <2.9.1

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-20
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a jmespath jmespath 2.9.0 / / / / / / /
a jmespath jmespath <2.9.1 / / / / / / /

References

https://github.com/jmespath/jmespath.php/security/advisories/GHSA-pcw8-m77r-2528
https://github.com/jmespath/jmespath.php/security/advisories/GHSA-pcw8-m77r-2528

Tags

CWE-20
[email protected]
2026-06-12
CVE-2026-54133

CVSS Score

9.8 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    View Vector String

Timeline

Published: June 12, 2026, 3:16 p.m.
Last Modified: June 12, 2026, 4:16 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.