Security Beta update 5.2.0 Beta1 for Multi-Linux Manager Client Tools

This update fixes the following issues: golang-github-prometheus-prometheus: CVE-2026-27606: Fix arbitrary file write via path traversal in rollup bsc1258893 Bump rollup to version 4.59.0 Drop SLE 12 support jscPED-15474 CVE-2026-25547: Fix unbounded brace range expansion leading to excessive CPU...

Security Bulletin: IBM App Connect Enterprise Certified Container is vulnerable to remote code execution (CVE-2026-1615)

Summary Node.js module jsonpath is used by IBM App Connect Enterprise Certified Container for processing JSON data. IBM App Connect Enterprise Certified Container operands are vulnerable to remote code execution. This bulletin provides patch information to address the reported vulnerability in...

3d-tiles-tools (>=0.1.0 <=0.1.3), 7ghost (>=4.11.0 <=4.11.46) +535 more potentially affected by CVE-2025-61140 via jsonpath (>=0.1.3 <=1.1.1)

jsonpath NPM version =0.1.3, =0.1.0, =4.11.0, =0.0.11, =0.6.0, =0.82.10-20200221024018, =0.1.27, =1.0.0, =2.0.15, =1.0.2, =1.0.0, =1.1.0, =3.0.6371, =4.0.2, =2.0.4, =2.1.27 and more Source cves: CVE-2025-61140 Source advisory: OSV:GHSA-6C59-MWGH-R2X6...

Prototype Pollution

Overview jsonpath is a Query JavaScript objects with JSONPath expressions. Robust / safe JSONPath engine for Node.js. Affected versions of this package are vulnerable to Prototype Pollution via the value function. An attacker can modify the prototype of built-in objects by supplying crafted input...

7ghost (>=4.11.0 <=4.11.46), @accordproject/concerto-ui-react (>=0.6.0 <=0.83.1-20200224151908) +269 more potentially affected by CVE-2025-61140 via jsonpath (>=1.0.0 <=1.1.1)

jsonpath NPM version =1.0.0, =4.11.0, =0.6.0, =0.82.10-20200221024018, =1.0.0, =1.1.0, =3.0.6371, =4.0.2, =2.0.4, =0.2.0, =4.0.149, =3.0.129, =4.0.174, =0.11.8, =1.2.5, =1.4.0 and more Source cves: CVE-2025-61140 Source advisory: SNYK:JS-JSONPATH-15134429...

Arbitrary Code Injection

Overview jsonpath is a Query JavaScript objects with JSONPath expressions. Robust / safe JSONPath engine for Node.js. Affected versions of this package are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval...

7ghost (>=4.11.0 <=4.11.46), @accordproject/concerto-ui-react (>=0.6.0 <=0.83.1-20200224151908) +270 more potentially affected by CVE-2026-1615 via jsonpath (>=1.0.0 <=1.2.1)

jsonpath NPM version =1.0.0, =4.11.0, =0.6.0, =0.82.10-20200221024018, =1.0.0, =1.1.0, =3.0.6371, =4.0.2, =2.0.4, =0.2.0, =4.0.149, =3.0.129, =4.0.174, =0.11.8, =1.2.5, =1.4.0 and more Source cves: CVE-2026-1615 Source advisory: SNYK:JS-JSONPATH-13645034...

Arbitrary Code Injection

Overview org.webjars.npm:jsonpath is a Query JavaScript objects with JSONPath expressions. Robust / safe JSONPath engine for Node.js. Affected versions of this package are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on th...

CVE-2024-47180 Shields.io Remote Code Execution vulnerability in Dynamic JSON/TOML/YAML badges

Shields.io is a service for concise, consistent, and legible badges in SVG and raster format. Shields.io and users self-hosting their own instance of shields using version server-2024-09-25 are vulnerable to a remote execution vulnerability via the JSONPath library used by the Dynamic...

PT-2024-32462 · Jsonpath +1 · Jsonpath +1

Name of the Vulnerable Software and Affected Versions: Shields.io versions prior to server-2024-09-25 Description: The issue concerns a remote execution vulnerability via the JSONPath library used by the Dynamic JSON/Toml/Yaml badges. This vulnerability allows any user with access to make a reque...