CVE-2026-54133
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk24th percentile — higher than 24% of all known CVEs
Summary
A vulnerability in the jmespath.php library allows an attacker to execute arbitrary PHP code when using the `JmesPath\CompilerRuntime` with an attacker-controlled JMESPath expression. The compiler fails to properly escape function names, enabling injection of malicious code into the generated cache file, which is then executed.
Risk Assessment
An attacker can remotely execute arbitrary PHP code on the server, leading to full application compromise, data theft, or system takeover.
Recommendation
Immediately update the jmespath.php library to version 2.9.1 or later. Until then, do not use `JmesPath\CompilerRuntime` with untrusted expressions; use `AstRuntime` instead.
Original NVD description (English source)
jmespath.php allows users to use JMESPath, software for declaratively specifying how to extract elements from a JSON document, in PHP applications with PHP data structures. Versions prior to 2.9.1 can generate and execute attacker-controlled PHP code when `JmesPath\CompilerRuntime` is used with an attacker-controlled JMESPath expression. The compiler emits parsed JMESPath function names into generated PHP source without sufficient escaping. A crafted expression can cause the generated cache file to contain executable attacker-controlled PHP, which is then loaded by the compiler runtime. The issue is patched in `2.9.1` and later. As a workaround, disable `JP_PHP_COMPILE` and do not use `JmesPath\CompilerRuntime` with attacker-controlled expressions. Use the default `AstRuntime` for untrusted expressions. Applications that must continue accepting untrusted JMESPath expressions before upgrading should ensure those expressions are never evaluated by the compiler runtime.

