[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-1615":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-06T02:55:33.997Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":62,"aliases":63,"duplicate_of":9,"upstream":65,"downstream":66,"duplicates":79,"related":80,"reserved_at":9,"published_at":87,"modified_at":88,"state":89,"summary":90,"references_raw":99,"kevs":145,"epss":146,"epss_history":149,"metrics":421,"affected":437},"CVE-2026-1615","Versions of the package jsonpath before 1.3.0 are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-94","Improper Control of Generation of Code ('Code Injection')","The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.","weakness","Draft","Base","Medium",[20,24,58],{"id":21,"name":22,"techniques":23},"CAPEC-242","Code Injection",[],{"id":25,"name":26,"techniques":27},"CAPEC-35","Leverage Executable Code in Non-Executable Files",[28,39,46],{"id":29,"name":30,"tactics":31,"countermeasures":38},"T1027.006","HTML Smuggling",[32,35],{"id":33,"name":34},"TA0030","Defense Evasion",{"id":36,"name":37},"TA0005","Stealth",[],{"id":40,"name":41,"tactics":42,"countermeasures":45},"T1027.009","Embedded Payloads",[43,44],{"id":33,"name":34},{"id":36,"name":37},[],{"id":47,"name":48,"tactics":49,"countermeasures":52},"T1564.009","Resource Forking",[50,51],{"id":33,"name":34},{"id":36,"name":37},[53],{"id":54,"name":55,"tactic":56},"D3-FFV","File Format Verification",{"name":57},"Isolate",{"id":59,"name":60,"techniques":61},"CAPEC-77","Manipulating User-Controlled Variables",[],[],[64],"GHSA-87r5-mp6g-5w5j",[],[67,69,71,73,75,77],{"_key":68},"OPENSUSE-SU-2026:20239-1",{"_key":70},"SUSE-SU-2026:1013-1",{"_key":72},"SUSE-SU-2026:1008-1",{"_key":74},"SUSE-SU-2026:1148-1",{"_key":76},"SUSE-SU-2026:1524-1",{"_key":78},"SUSE-SU-2026:20574-1",[],[81,82,83,84,85,86],{"_key":68},{"_key":70},{"_key":72},{"_key":74},{"_key":76},{"_key":78},"2026-02-09T05:00:09.050Z","2026-04-07T13:08:50.705Z","Deferred",{"cisa_kev":91,"cisa_ransomware":91,"cisa_vendor":9,"epss_severity":92,"epss_score":93,"severity":94,"severity_score":95,"severity_version":96,"severity_source":97,"severity_vector":98,"severity_status":89},false,"low",0.00107,"critical",9.8,"v3.1","nvd","CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",[100,107,111,115,120,125,129,133,137,141],{"url":101,"sources":102,"tags":105},"https://security.snyk.io/vuln/SNYK-JS-JSONPATH-13645034",[103,97,104],"cve.org","osv_npm",[106],"WEB",{"url":108,"sources":109,"tags":110},"https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-15141219",[103,97,104],[106],{"url":112,"sources":113,"tags":114},"https://github.com/dchester/jsonpath/blob/c1dd8ec74034fb0375233abb5fdbec51ac317b4b/lib/handlers.js%23L243",[103,97],[],{"url":116,"sources":117,"tags":118},"https://nvd.nist.gov/vuln/detail/CVE-2026-1615",[104],[119],"Advisory",{"url":121,"sources":122,"tags":123},"https://github.com/dchester/jsonpath",[104],[124],"PACKAGE",{"url":126,"sources":127,"tags":128},"https://github.com/dchester/jsonpath/blob/c1dd8ec74034fb0375233abb5fdbec51ac317b4b/lib/handlers.js#L243",[104],[106],{"url":130,"sources":131,"tags":132},"https://github.com/dchester/jsonpath/commit/9631412641b7095f86840a7a45b5b3afc68b0fcb",[103,97],[],{"url":134,"sources":135,"tags":136},"https://github.com/dchester/jsonpath/pull/197",[104],[106],{"url":138,"sources":139,"tags":140},"https://github.com/dchester/jsonpath/commit/491e2e01de2ff13f7d95e87eb2be726edbf4225f",[104],[106],{"url":142,"sources":143,"tags":144},"https://github.com/dchester/jsonpath/commit/b61111f07ac1a8d0f3133b5fc51438ecb76a6c39",[104,103,97],[106],[],{"date":147,"score":93,"percentile":148},"2026-06-05",0.28557,[150,154,157,160,163,166,169,173,176,179,183,186,189,192,196,199,202,205,208,211,214,217,220,223,226,229,232,235,238,241,244,247,249,253,256,259,262,265,268,270,273,276,279,282,285,288,291,294,297,300,303,306,309,312,315,318,321,324,327,330,333,336,339,342,345,347,350,353,356,359,362,365,368,371,373,376,379,382,385,388,391,394,397,400,403,406,409,412,415,418],{"date":151,"score":152,"percentile":153},"2026-02-09",0.00218,0.44162,{"date":155,"score":152,"percentile":156},"2026-02-10",0.44153,{"date":158,"score":152,"percentile":159},"2026-02-11",0.44151,{"date":161,"score":152,"percentile":162},"2026-02-12",0.44173,{"date":164,"score":152,"percentile":165},"2026-02-13",0.44169,{"date":167,"score":152,"percentile":168},"2026-02-14",0.44181,{"date":170,"score":171,"percentile":172},"2026-02-15",0.00287,0.51711,{"date":174,"score":171,"percentile":175},"2026-02-16",0.51694,{"date":177,"score":171,"percentile":178},"2026-02-17",0.51676,{"date":180,"score":181,"percentile":182},"2026-02-18",0.00094,0.26372,{"date":184,"score":181,"percentile":185},"2026-02-19",0.26422,{"date":187,"score":181,"percentile":188},"2026-02-20",0.26444,{"date":190,"score":181,"percentile":191},"2026-02-21",0.26474,{"date":193,"score":194,"percentile":195},"2026-02-22",0.0009,0.25481,{"date":197,"score":181,"percentile":198},"2026-02-23",0.26407,{"date":200,"score":181,"percentile":201},"2026-02-24",0.26347,{"date":203,"score":181,"percentile":204},"2026-02-25",0.26334,{"date":206,"score":181,"percentile":207},"2026-02-26",0.26348,{"date":209,"score":181,"percentile":210},"2026-02-27",0.26361,{"date":212,"score":181,"percentile":213},"2026-02-28",0.26368,{"date":215,"score":181,"percentile":216},"2026-03-01",0.26415,{"date":218,"score":181,"percentile":219},"2026-03-02",0.26386,{"date":221,"score":181,"percentile":222},"2026-03-03",0.26366,{"date":224,"score":181,"percentile":225},"2026-03-04",0.26228,{"date":227,"score":181,"percentile":228},"2026-03-05",0.263,{"date":230,"score":181,"percentile":231},"2026-03-06",0.26303,{"date":233,"score":181,"percentile":234},"2026-03-07",0.2628,{"date":236,"score":181,"percentile":237},"2026-03-08",0.26259,{"date":239,"score":181,"percentile":240},"2026-03-09",0.26231,{"date":242,"score":181,"percentile":243},"2026-03-10",0.2621,{"date":245,"score":181,"percentile":246},"2026-03-11",0.26185,{"date":248,"score":181,"percentile":225},"2026-03-12",{"date":250,"score":251,"percentile":252},"2026-03-13",0.00103,0.28112,{"date":254,"score":251,"percentile":255},"2026-03-14",0.28104,{"date":257,"score":251,"percentile":258},"2026-03-15",0.28027,{"date":260,"score":251,"percentile":261},"2026-03-16",0.28038,{"date":263,"score":251,"percentile":264},"2026-03-17",0.2801,{"date":266,"score":251,"percentile":267},"2026-03-18",0.27995,{"date":269,"score":251,"percentile":267},"2026-03-19",{"date":271,"score":251,"percentile":272},"2026-03-20",0.28042,{"date":274,"score":251,"percentile":275},"2026-03-21",0.28122,{"date":277,"score":251,"percentile":278},"2026-03-22",0.28111,{"date":280,"score":251,"percentile":281},"2026-03-23",0.28091,{"date":283,"score":251,"percentile":284},"2026-03-24",0.28086,{"date":286,"score":251,"percentile":287},"2026-03-25",0.28136,{"date":289,"score":251,"percentile":290},"2026-03-26",0.28184,{"date":292,"score":251,"percentile":293},"2026-03-27",0.28207,{"date":295,"score":251,"percentile":296},"2026-03-28",0.28232,{"date":298,"score":251,"percentile":299},"2026-03-29",0.28201,{"date":301,"score":251,"percentile":302},"2026-03-30",0.28183,{"date":304,"score":251,"percentile":305},"2026-03-31",0.28174,{"date":307,"score":251,"percentile":308},"2026-04-01",0.28189,{"date":310,"score":251,"percentile":311},"2026-04-02",0.28261,{"date":313,"score":251,"percentile":314},"2026-04-03",0.28272,{"date":316,"score":251,"percentile":317},"2026-04-04",0.28304,{"date":319,"score":251,"percentile":320},"2026-04-05",0.28253,{"date":322,"score":251,"percentile":323},"2026-04-06",0.281,{"date":325,"score":251,"percentile":326},"2026-04-07",0.28095,{"date":328,"score":251,"percentile":329},"2026-04-08",0.2816,{"date":331,"score":251,"percentile":332},"2026-04-09",0.28203,{"date":334,"score":251,"percentile":335},"2026-04-10",0.28223,{"date":337,"score":251,"percentile":338},"2026-04-11",0.28211,{"date":340,"score":251,"percentile":341},"2026-04-12",0.28168,{"date":343,"score":251,"percentile":344},"2026-04-13",0.2811,{"date":346,"score":251,"percentile":281},"2026-04-14",{"date":348,"score":251,"percentile":349},"2026-04-15",0.28145,{"date":351,"score":251,"percentile":352},"2026-04-16",0.28123,{"date":354,"score":251,"percentile":355},"2026-04-17",0.28114,{"date":357,"score":93,"percentile":358},"2026-04-18",0.2891,{"date":360,"score":93,"percentile":361},"2026-04-19",0.28867,{"date":363,"score":93,"percentile":364},"2026-04-20",0.28854,{"date":366,"score":93,"percentile":367},"2026-04-21",0.28863,{"date":369,"score":93,"percentile":370},"2026-04-22",0.28915,{"date":372,"score":93,"percentile":370},"2026-04-23",{"date":374,"score":93,"percentile":375},"2026-04-24",0.28745,{"date":377,"score":93,"percentile":378},"2026-04-25",0.2866,{"date":380,"score":93,"percentile":381},"2026-04-26",0.28633,{"date":383,"score":93,"percentile":384},"2026-04-27",0.28616,{"date":386,"score":93,"percentile":387},"2026-04-28",0.28555,{"date":389,"score":93,"percentile":390},"2026-04-29",0.28564,{"date":392,"score":93,"percentile":393},"2026-04-30",0.28546,{"date":395,"score":93,"percentile":396},"2026-05-01",0.28541,{"date":398,"score":93,"percentile":399},"2026-05-02",0.2858,{"date":401,"score":93,"percentile":402},"2026-05-03",0.28513,{"date":404,"score":93,"percentile":405},"2026-05-04",0.28443,{"date":407,"score":93,"percentile":408},"2026-05-05",0.28406,{"date":410,"score":93,"percentile":411},"2026-05-06",0.28402,{"date":413,"score":93,"percentile":414},"2026-05-07",0.28463,{"date":416,"score":93,"percentile":417},"2026-05-08",0.28451,{"date":419,"score":93,"percentile":420},"2026-05-09",0.28486,[422,427,434],{"source":103,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":9,"cvss_v4_0":423},{"baseScore":424,"baseSeverity":425,"vectorString":426,"impactScore":9,"exploitabilityScore":9},9.2,"CRITICAL","CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",{"source":97,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":428,"cvss_v4_0":430},{"baseScore":95,"baseSeverity":425,"vectorString":98,"impactScore":95,"exploitabilityScore":429},10,{"baseScore":431,"baseSeverity":432,"vectorString":433,"impactScore":9,"exploitabilityScore":9},8.2,"HIGH","CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",{"source":104,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":435,"cvss_v4_0":436},{"baseScore":95,"baseSeverity":9,"vectorString":98,"impactScore":95,"exploitabilityScore":429},{"baseScore":424,"baseSeverity":9,"vectorString":426,"impactScore":9,"exploitabilityScore":9},[438],{"ecosystem":439,"name":440,"vendor":439,"product":440,"cpe_part":9,"purl_type":441,"purl_namespace":9,"purl_name":440,"source":9,"versions":442},"Npm","jsonpath","npm",[443,449,452],{"version":444,"is_range":445,"range_type":446,"version_start":9,"version_start_type":9,"version_end":447,"version_end_type":448,"fixed_in":9},"lt1_2_1",true,"semver","1.2.1","excluding",{"version":450,"is_range":445,"range_type":446,"version_start":9,"version_start_type":9,"version_end":447,"version_end_type":451,"fixed_in":9},"lte1_2_1","including",{"version":453,"is_range":445,"range_type":446,"version_start":9,"version_start_type":9,"version_end":454,"version_end_type":448,"fixed_in":9},"lt1_3_0","1.3.0"]