CVE-2026-47099— TeleJSON < 6.0.0 DOM-based XSS via parse() Function

TeleJSON < 6.0.0 DOM-based XSS via parse() Function

TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse() function that allows attackers to execute arbitrary JavaScript by delivering a crafted JSON payload containing a malicious _constructor-name_ property value. The custom reviver passes the constructor name directly to new Function() without sanitization when recreating object prototypes, enabling attackers to inject arbitrary JavaScript through vectors such as postMessage in cross-frame communication contexts to achieve script execution within the application.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

TeleJSON 跨站脚本漏洞

TeleJSON是Storybook开源的一款支持复杂数据类型的JSON扩展库。 TeleJSON 6.0.0之前版本存在跨站脚本漏洞，该漏洞源于parse函数中存在基于DOM的跨站脚本漏洞，攻击者可通过传递包含恶意_constructor-name_属性值的特制JSON有效载荷，在自定义reviver将构造函数名称直接传递给new Function而未进行清理时，通过postMessage等跨框架通信向量注入任意JavaScript，从而在应用中执行脚本。

N/A

N/A