jmespath.php has CompilerRuntime code injection via unescaped function names
CVE-2026-54133

9.8CRITICAL

Key Information:

Vendor: Jmespath
Status: Jmespath.PHP
Vendor: CVE Published:; 12 June 2026

What is CVE-2026-54133?

jmespath.php allows users to use JMESPath, software for declaratively specifying how to extract elements from a JSON document, in PHP applications with PHP data structures. Versions prior to 2.9.1 can generate and execute attacker-controlled PHP code when JmesPath\CompilerRuntime is used with an attacker-controlled JMESPath expression. The compiler emits parsed JMESPath function names into generated PHP source without sufficient escaping. A crafted expression can cause the generated cache file to contain executable attacker-controlled PHP, which is then loaded by the compiler runtime. The issue is patched in 2.9.1 and later. As a workaround, disable JP_PHP_COMPILE and do not use JmesPath\CompilerRuntime with attacker-controlled expressions. Use the default AstRuntime for untrusted expressions. Applications that must continue accepting untrusted JMESPath expressions before upgrading should ensure those expressions are never evaluated by the compiler runtime.

Affected Version(s)

jmespath.php < 2.9.1

References

https://github.com/jmespath/jmespath.php/security/advisor...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 12, 2026
Vulnerability Reserved
Jun 11, 2026

CVE-2026-54133 Data

JSON

Jmespath

What is CVE-2026-54133?

Affected Version(s)

References

CVSS V3.1

Timeline