Description
TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse() function that allows attackers to execute arbitrary JavaScript by delivering a crafted JSON payload containing a malicious _constructor-name_ property value. The custom reviver passes the constructor name directly to new Function() without sanitization when recreating object prototypes, enabling attackers to inject arbitrary JavaScript through vectors such as postMessage in cross-frame communication contexts to achieve script execution within the application.
Published: 2026-05-20
Score: 2.1 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

TeleJSON prior to version 6.0.0 contains a DOM-based cross‑site scripting vulnerability in the parse() function. An attacker can craft a JSON payload that includes a malicious _constructor-name_ property value. The library’s custom reviver passes this value directly to new Function without sanitization when recreating object prototypes, allowing the attacker to inject and execute arbitrary JavaScript inside the application. This can lead to script execution that may compromise confidentiality, integrity, or availability of the application’s data.

Affected Systems

The affected product is TeleJSON by storybookjs for all releases prior to 6.0.0. No specific sub‑versions are listed; any installation using a version older than 6.0.0 is potentially vulnerable.

Risk and Exploitability

The CVSS score of 2.1 indicates a low severity. The EPSS score is not available, so the exploitation probability is unclear but likely low. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to involve delivery of a crafted JSON payload via mechanisms such as postMessage in cross‑frame communication, where the victim application parses the payload with the vulnerable parse() function. Successful exploitation requires the attacker to provide the malicious data to the victim and for the application to invoke parse() with a custom reviver that would evaluate the new Function.

Generated by OpenCVE AI on May 20, 2026 at 20:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade TeleJSON to version 6.0.0 or later.
  • If an upgrade is not feasible, validate or whitelist _constructor-name_ values before passing them to new Function, or disable the custom reviver logic.
  • Ensure that any cross‑frame or external JSON input is from trusted origins or is sanitized before being parsed.

Generated by OpenCVE AI on May 20, 2026 at 20:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-ccgf-5rwj-j3hv TeleJSON: DOM XSS via unsanitised constructor name in `new Function()`
History

Wed, 20 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse() function that allows attackers to execute arbitrary JavaScript by delivering a crafted JSON payload containing a malicious _constructor-name_ property value. The custom reviver passes the constructor name directly to new Function() without sanitization when recreating object prototypes, enabling attackers to inject arbitrary JavaScript through vectors such as postMessage in cross-frame communication contexts to achieve script execution within the application.
Title TeleJSON < 6.0.0 DOM-based XSS via parse() Function
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-20T19:28:13.563Z

Reserved: 2026-05-18T19:22:26.747Z

Link: CVE-2026-47099

cve-icon Vulnrichment

Updated: 2026-05-20T19:28:09.577Z

cve-icon NVD

Status : Received

Published: 2026-05-20T20:16:41.063

Modified: 2026-05-20T20:16:41.063

Link: CVE-2026-47099

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T20:45:03Z

Weaknesses