Description
A weakness has been identified in jsonata-js jsonata up to 2.2.0. The affected element is the function createFrame of the file src/jsonata.js of the component Function Binding Frame System. This manipulation causes improperly controlled modification of object prototype attributes. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-15
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in jsonata-js jsonata version 2.2.0 and earlier in the createFrame function of src/jsonata.js. It enables an attacker to manipulate object prototype attributes arbitrarily, which can lead to prototype pollution. This weakness allows a remote actor to inject malicious data that is later executed or used by the application, potentially resulting in code execution or denial of service. The flaw is a type of improper handling of prototype attributes and is classified under CWE-1321 and CWE-94.

Affected Systems

The affected product is jsonata-js:jsonata. All installations using version 2.2.0 or earlier are vulnerable; no specific minor release was listed as patched. The vendor has not issued a fix at this time.

Risk and Exploitability

The CVSS score is 6.9, representing moderate severity. No EPSS score is available, and the vulnerability is not listed in CISA's KEV catalog. Attackers can exploit the weakness remotely by sending crafted expressions that trigger createFrame. The public exploit is available, showing that this vulnerability can be actively used against exposed services.

Generated by OpenCVE AI on June 15, 2026 at 04:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade jsonata to a version later than 2.2.0 once the vendor releases a patch
  • If an upgrade is not possible, disable any features that invoke createFrame or use strict mode to prevent prototype modification
  • Monitor incoming JSON expressions for prototype pollution patterns and block suspicious payloads

Generated by OpenCVE AI on June 15, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 03:00:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in jsonata-js jsonata up to 2.2.0. The affected element is the function createFrame of the file src/jsonata.js of the component Function Binding Frame System. This manipulation causes improperly controlled modification of object prototype attributes. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title jsonata-js jsonata Function Binding Frame System jsonata.js createFrame prototype pollution
First Time appeared Jsonata-js
Jsonata-js jsonata
Weaknesses CWE-1321
CWE-94
CPEs cpe:2.3:a:jsonata-js:jsonata:*:*:*:*:*:*:*:*
Vendors & Products Jsonata-js
Jsonata-js jsonata
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Jsonata-js Jsonata
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-15T02:00:08.916Z

Reserved: 2026-06-14T12:25:38.149Z

Link: CVE-2026-12208

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-15T03:16:23.993

Modified: 2026-06-15T03:16:23.993

Link: CVE-2026-12208

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-15T06:30:32Z

Weaknesses
  • CWE-1321

    Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')