14 matches found
CVE-2026-47099
A flaw was found in TeleJSON. A remote attacker can exploit this DOM-based cross-site scripting XSS vulnerability by delivering a specially crafted JSON payload. This payload, containing a malicious constructor-name property value, is processed by the parse function without proper sanitization,...
CVE-2026-47099
TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse function that allows attackers to execute arbitrary JavaScript by delivering a crafted JSON payload containing a malicious constructor-name property value. The custom reviver passes the constructor name...
CVE-2026-47099 TeleJSON < 6.0.0 DOM-based XSS via parse() Function
TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse function that allows attackers to execute arbitrary JavaScript by delivering a crafted JSON payload containing a malicious constructor-name property value. The custom reviver passes the constructor name...
EUVD-2026-31150
TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse function that allows attackers to execute arbitrary JavaScript by delivering a crafted JSON payload containing a malicious constructor-name property value. The custom reviver passes the constructor name...
CVE-2026-47099
TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse function that allows attackers to execute arbitrary JavaScript by delivering a crafted JSON payload containing a malicious constructor-name property value. The custom reviver passes the constructor name...
CVE-2026-47099 TeleJSON < 6.0.0 DOM-based XSS via parse() Function
TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse function that allows attackers to execute arbitrary JavaScript by delivering a crafted JSON payload containing a malicious constructor-name property value. The custom reviver passes the constructor name...
CVE-2026-47099
TeleJSON prior to 6.0.0 contains a DOM-based XSS via the parse() reviver that reads a constructor-name property and passes it to new Function(), allowing arbitrary JavaScript execution in contexts such as postMessage for cross-frame communication. Affected component: TeleJSON parse() in versions ...
TeleJSON 跨站脚本漏洞
TeleJSON is an open-source JSON extension library developed by Storybook that supports complex data types. Versions of TeleJSON prior to 6.0.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from a DOM-based cross-site scripting vulnerability within the parse function...
PT-2026-42227
TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse function that allows attackers to execute arbitrary JavaScript by delivering a crafted JSON payload containing a malicious constructor-name property value. The custom reviver passes the constructor name...
Cross-site Scripting (XSS)
Overview telejson is an A library for teleporting rich data to another place. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the parse function. An attacker can execute arbitrary JavaScript code in the new Function context by supplying a crafted JSON payload...
@21epub/resource-lib (>=1.0.0 <=1.0.3), @8base/boost (>=1.2.0 <=1.5.0) +1614 more potentially affected by unknown CVE via telejson (>=1.0.1 <=5.3.3)
telejson NPM version =1.0.1, =1.0.0, =1.2.0, =1.0.0, =1.1.4, =1.16.0, =1.1.2, =0.5.19-20200320212412, =5.0.0, =1.0.0-beta.10, =0.0.3, =0.0.199-alpha.0, =1.0.22, =0.0.1, =0.2.0 and more Source cves: unknown CVE Source advisory: OSV:GHSA-CCGF-5RWJ-J3HV...
GHSA-CCGF-5RWJ-J3HV TeleJSON: DOM XSS via unsanitised constructor name in `new Function()`
Summary telejson versions prior to 6.0.0 released 2022 are vulnerable to DOM-based Cross-Site Scripting XSS through unsafe deserialisation. Attacker-controlled input from the constructor-name property in parsed JSON is passed directly to new Function without sanitisation, allowing arbitrary...
TeleJSON: DOM XSS via unsanitised constructor name in `new Function()`
Summary telejson versions prior to 6.0.0 released 2022 are vulnerable to DOM-based Cross-Site Scripting XSS through unsafe deserialisation. Attacker-controlled input from the constructor-name property in parsed JSON is passed directly to new Function without sanitisation, allowing arbitrary...
Code Injection in storybookjs/telejson
✍️ Description telejson is a library for teleporting rich data to another place. The telejson.reviver which is used to parse string data back to json structure can be abused to execute arbitrary code when the lazyEval option is set to false i.e., disabled. The root cause is the attackers can...