Description
A weakness has been identified in jsonata-js jsonata up to 2.2.0. The affected element is the function createFrame of the file src/jsonata.js of the component Function Binding Frame System. This manipulation causes improperly controlled modification of object prototype attributes. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-15
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in jsonata-js jsonata version 2.2.0 and earlier in the createFrame function of src/jsonata.js. It enables an attacker to manipulate object prototype attributes arbitrarily, which can lead to prototype pollution. This weakness allows a remote actor to inject malicious data that is later executed or used by the execution or denial of service. The flaw is a type of improper handling of prototype attributes and is classified under CWE-1321, CWE-915, and CWE-94.

Affected Systems

The affected product is jsonata-js:jsonata. All installations using version 2.2.0 or earlier are vulnerable; no specific minor release was listed as patched. The vendor has not issued a fix at this time.

Risk and Exploitability

The CVSS score is 6.9, representing moderate severity. An EPSS score of 0.00314 indicates a very low probability of exploitation, and the vulnerability is not listed in. Attackers can exploit the weakness remotely by sending crafted expressions that trigger createFrame. The public exploit is available, showing that this vulnerability can be actively used against exposed services.

Generated by OpenCVE AI on June 26, 2026 at 02:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade jsonata to a version later than 2.2.0 once the vendor releases a patch
  • If an upgrade is not possible, disable any features that invoke createFrame or use strict mode to prevent prototype modification
  • Monitor incoming JSON expressions for prototype pollution patterns and block suspicious payloads

Generated by OpenCVE AI on June 26, 2026 at 02:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-915
References
Metrics threat_severity

None

threat_severity

Moderate


Mon, 15 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 03:00:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in jsonata-js jsonata up to 2.2.0. The affected element is the function createFrame of the file src/jsonata.js of the component Function Binding Frame System. This manipulation causes improperly controlled modification of object prototype attributes. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title jsonata-js jsonata Function Binding Frame System jsonata.js createFrame prototype pollution
First Time appeared Jsonata-js
Jsonata-js jsonata
Weaknesses CWE-1321
CWE-94
CPEs cpe:2.3:a:jsonata-js:jsonata:*:*:*:*:*:*:*:*
Vendors & Products Jsonata-js
Jsonata-js jsonata
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Jsonata-js Jsonata
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-15T19:25:11.446Z

Reserved: 2026-06-14T12:25:38.149Z

Link: CVE-2026-12208

cve-icon Vulnrichment

Updated: 2026-06-15T15:59:11.532Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T03:16:23.993

Modified: 2026-06-15T20:42:32.707

Link: CVE-2026-12208

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-15T02:00:08Z

Links: CVE-2026-12208 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T02:15:15Z

Weaknesses
  • CWE-1321

    Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

  • CWE-915

    Improperly Controlled Modification of Dynamically-Determined Object Attributes

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')