Description
jmespath.php allows users to use JMESPath, software for declaratively specifying how to extract elements from a JSON document, in PHP applications with PHP data structures. Versions prior to 2.9.1 can generate and execute attacker-controlled PHP code when `JmesPath\CompilerRuntime` is used with an attacker-controlled JMESPath expression. The compiler emits parsed JMESPath function names into generated PHP source without sufficient escaping. A crafted expression can cause the generated cache file to contain executable attacker-controlled PHP, which is then loaded by the compiler runtime. The issue is patched in `2.9.1` and later. As a workaround, disable `JP_PHP_COMPILE` and do not use `JmesPath\CompilerRuntime` with attacker-controlled expressions. Use the default `AstRuntime` for untrusted expressions. Applications that must continue accepting untrusted JMESPath expressions before upgrading should ensure those expressions are never evaluated by the compiler runtime.
Published: 2026-06-12
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates in the jmespath.php library. Versions older than 2.9.1 compile JMESPath expressions into PHP source that is then executed by the runtime. Because function names from the expression are written into the generated file without escaping, an attacker who can influence the expression can insert arbitrary PHP code. The flaw allows execution of attacker‑controlled code, giving full code‑execution capabilities on the server. The weakness involves code‑generation, input validation and code injection, reflected in the CWE identifiers.

Affected Systems

Affected installations are those that include the jmespath.php package from the jmespath vendor with a version less than 2.9.1. Any PHP application that imports this library and uses JmesPath\CompilerRuntime to evaluate untrusted expressions is exposed. The issue remains if JP_PHP_COMPILE is enabled and the compiler runtime processes the expression.

Risk and Exploitability

The CVSS score of 9.8 classifies the flaw as critical. The EPSS score is unknown, reducing certainty about current exploitation rates, but the vulnerability is not recorded in the CISA KEV catalog, indicating no publicly confirmed exploitation yet. Nonetheless, because the flaw permits remote code execution via crafted JMESPath expressions, it is highly actionable. The attack vector is likely remote, through any endpoint or service that accepts untrusted JMESPath expressions from users.

Generated by OpenCVE AI on June 12, 2026 at 15:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade jmespath.php to version 2.9.1 or newer.
  • If upgrading is delayed, disable JP_PHP_COMPILE and avoid using JmesPath\CompilerRuntime; instead, use AstRuntime for untrusted expressions.
  • Verify that any legacy code paths that invoke the compiler runtime are either removed or guarded to ensure that untrusted expressions are never evaluated.

Generated by OpenCVE AI on June 12, 2026 at 15:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description jmespath.php allows users to use JMESPath, software for declaratively specifying how to extract elements from a JSON document, in PHP applications with PHP data structures. Versions prior to 2.9.1 can generate and execute attacker-controlled PHP code when `JmesPath\CompilerRuntime` is used with an attacker-controlled JMESPath expression. The compiler emits parsed JMESPath function names into generated PHP source without sufficient escaping. A crafted expression can cause the generated cache file to contain executable attacker-controlled PHP, which is then loaded by the compiler runtime. The issue is patched in `2.9.1` and later. As a workaround, disable `JP_PHP_COMPILE` and do not use `JmesPath\CompilerRuntime` with attacker-controlled expressions. Use the default `AstRuntime` for untrusted expressions. Applications that must continue accepting untrusted JMESPath expressions before upgrading should ensure those expressions are never evaluated by the compiler runtime.
Title jmespath.php has CompilerRuntime code injection via unescaped function names
Weaknesses CWE-116
CWE-20
CWE-94
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T15:07:16.654Z

Reserved: 2026-06-11T21:15:33.870Z

Link: CVE-2026-54133

cve-icon Vulnrichment

Updated: 2026-06-12T15:06:56.764Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-12T15:16:31.890

Modified: 2026-06-12T16:16:34.143

Link: CVE-2026-54133

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T15:45:09Z

Weaknesses
  • CWE-116

    Improper Encoding or Escaping of Output

  • CWE-20

    Improper Input Validation

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')