CVE-2026-47099
MEDIUMTeleJSON < 6.0.0 DOM-based XSS via parse() Function
Title source: cnaDescription
TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse() function that allows attackers to execute arbitrary JavaScript by delivering a crafted JSON payload containing a malicious _constructor-name_ property value. The custom reviver passes the constructor name directly to new Function() without sanitization when recreating object prototypes, enabling attackers to inject arbitrary JavaScript through vectors such as postMessage in cross-frame communication contexts to achieve script execution within the application.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
patch
https://github.com/storybookjs/telejson/security/advisories/GHSA-ccgf-5rwj-j3hv
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/telejson-dom-based-xss-via-parse-function
Technical Description technical-description
https://github.com/Niccolo10/Security-Advisories/blob/main/CVE-2026-47099/cve-2026-47099.md
Scores
CVSS v3
6.1
EPSS
0.0003
EPSS Percentile
10.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
npm/telejson
0 - 6.0.0npm
storybookjs/telejson
< 6.0.0
Published
May 20, 2026
Tracked Since
May 21, 2026