DOM-Based Cross-Site Scripting in TeleJSON Affects Web Applications
CVE-2026-47099

2.1LOW

Key Information:

Vendor: Storybookjs
Status: Telejson
Vendor: CVE Published:; 20 May 2026

🔔 Create Storybookjs Vulnerability Alert

What is CVE-2026-47099?

TeleJSON versions prior to 6.0.0 are susceptible to a DOM-based cross-site scripting vulnerability, specifically within the parse() function. This flaw allows attackers to craft malicious JSON payloads that exploit the unvalidated constructor-name property. When the application utilizes this property, it directly passes input to new Function() without any sanitization, enabling the execution of arbitrary JavaScript. This vulnerability can be leveraged through various manipulation methods, including postMessage in cross-frame communication contexts, posing significant risks to web applications relying on TeleJSON for JSON parsing.

Affected Version(s)

telejson 0

References

https://github.com/storybookjs/telejson/security/advisori...

vendor-advisorypatch

https://www.vulncheck.com/advisories/telejson-dom-based-x...

third-party-advisory

CVSS V4

Score:

2.1

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2026
Vulnerability Reserved
May 18, 2026

Credit

Niccolò Parlanti

CVE-2026-47099 Data

JSON