Copyright © 2012 Red Hat, Inc. All rights reserved.
Moderate
2026-05-20T18:00:44
telejson: TeleJSON: Arbitrary code execution via DOM-based cross-site scripting
5.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CWE-79
TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse() function that allows attackers to execute arbitrary JavaScript by delivering a crafted JSON payload containing a malicious _constructor-name_ property value. The custom reviver passes the constructor name directly to new Function() without sanitization when recreating object prototypes, enabling attackers to inject arbitrary JavaScript through vectors such as postMessage in cross-frame communication contexts to achieve script execution within the application.
A flaw was found in TeleJSON. A remote attacker can exploit this DOM-based cross-site scripting (XSS) vulnerability by delivering a specially crafted JSON payload. This payload, containing a malicious `_constructor-name_` property value, is processed by the `parse()` function without proper sanitization, allowing the attacker to execute arbitrary JavaScript code within the application. This could lead to unauthorized actions or information disclosure.
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Node HealthCheck Operator
Fix deferred
workload-availability/node-healthcheck-must-gather-rhel9
Node HealthCheck Operator
Fix deferred
workload-availability/node-healthcheck-operator-bundle
Node HealthCheck Operator
Fix deferred
workload-availability/node-healthcheck-rhel9-operator
Red Hat Fuse 7
Fix deferred
telejson
Red Hat OpenShift AI (RHOAI)
Fix deferred
rhoai/odh-mlflow-rhel9
https://www.cve.org/CVERecord?id=CVE-2026-47099
https://nvd.nist.gov/vuln/detail/CVE-2026-47099
https://github.com/storybookjs/telejson/security/advisories/GHSA-ccgf-5rwj-j3hv
https://www.vulncheck.com/advisories/telejson-dom-based-xss-via-parse-function