CVE-2026-47099
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk28th percentile - higher than 28% of all known CVEs
Summary
TeleJSON prior to version 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse() function. Attackers can deliver a crafted JSON payload with a malicious _constructor-name_ property value that is passed directly to new Function() without sanitization, allowing arbitrary JavaScript execution.
Risk Assessment
The risk involves potential compromise of the application by an attacker who can execute arbitrary scripts in the victim's context, e.g., via postMessage in cross-frame communication, leading to data theft, session hijacking, or further attack escalation.
Recommendation
Immediately update TeleJSON to version 6.0.0 or later, which includes a fix for this vulnerability. If an update is not possible, restrict the use of the parse() function with untrusted data and apply additional input validation.
Original NVD description (English source)
TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse() function that allows attackers to execute arbitrary JavaScript by delivering a crafted JSON payload containing a malicious _constructor-name_ property value. The custom reviver passes the constructor name directly to new Function() without sanitization when recreating object prototypes, enabling attackers to inject arbitrary JavaScript through vectors such as postMessage in cross-frame communication contexts to achieve script execution within the application.

