Back to list

TeleJSON: DOM XSS via unsanitised constructor name in `new Function()` — CVE-2026-47099

GitHub · GitHub · CVE-2026-47099

ID
CVE-2026-47099
Date
Updated
Activity
Source
GitHub
Vendor
GitHub
Threat
low
CVSS
2.1

Summary

## Summary telejson versions prior to 6.0.0 (released 2022) are vulnerable to DOM-based Cross-Site Scripting (XSS) through unsafe deserialisation. Attacker-controlled input from the `_constructor-name_` property in parsed JSON is passed directly to `new Function()` without sanitisation, allowing arbitrary JavaScript execution. ## Affected versions | Package | Affected | Fixed | |----------|-----------|----------| |…

Product

npm: telejson

What to do

General, cautious steps (verify details in the official source):

  • Review exposure and plan remediation based on risk and environment.
  • Identify affected product versions in your inventory and verify whether you are impacted.
  • Apply vendor patches/updates or recommended mitigations as soon as available.
  • Read the official advisory for exact affected versions and remediation steps.

Official advisory

Related advisories

GitHub GitHub 2026-W21