VDB

GHSA-pppg-cpfq-h7wr

GHSA-pppg-cpfq-h7wr PUBLISHED CVSS 9.800000190734863 CRITICAL

All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node. **Note:** There were several attempts to fix it in versions [10.0.0-10.1.0](https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226).

Risk Scores

CVSS v3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P

Affected Products

VendorProductVersions
csaf_redhatregistry.redhat.io/rhdh/rhdh-operator-bundle@sha256:3da4799b9a79f688ca55ec85d0b3e28348dbc2661e82110aedbf27dfa97f49e1_amd64
csaf_redhatdevspaces/configbump-rhel8@sha256:b99750c52fed441b2faf995a7eb3bfe83aad853d9e9ae26f2556f5efd2fce662_ppc64le
csaf_certbundDev Spaces 3.17
csaf_redhatdevspaces/traefik-rhel8@sha256:fbf8735d035e53c538d9b6eab5a875d4c0a634c7b5c61010caebb8aa2622ef3c_ppc64le
n/aorg.webjars.npm:jsonpath-plus0 <*
csaf_redhatRed Hat Developer Hub 1.6
csaf_redhatdevspaces/machineexec-rhel8@sha256:d892d008651e973127665947e9ece200bca3294dbc147f4a02c09302dd18da91_amd64
csaf_certbundIBM App Connect Enterprise <12.0.6
csaf_redhatdevspaces/imagepuller-rhel8@sha256:a983f5c523406a811ebcefbf855e378dfb99356b529a5f0f6027b852a147ed53_s390x
csaf_redhatdevspaces/dashboard-rhel8@sha256:95302249f869bd80308548a63683bb892ca40e876561fea204169f405bb220e7_amd64
csaf_certbundRed Hat OpenShift Serverless Logic 1.35.0
csaf_redhatdevspaces/server-rhel8@sha256:81e1327cdcd4af6c801db90e4ef998f6b4701a5b3a73464ae2448bc23c83e334_ppc64le
csaf_certbundIBM App Connect Enterprise <12.0.12.9
csaf_certbund5.0.22
csaf_certbundIBM App Connect Enterprise <5.0.22
csaf_certbund13.0.2.0
csaf_redhatdevspaces/code-rhel8@sha256:2a4deccbc7b8c5bc53f2fde315ccd93e7f2c2022e9288f7a93ed642feb808dc1_amd64
csaf_certbund12.0.6
csaf_redhatregistry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b6bf7ded5e146f60141840bb2e42e72125c61af0f3d3c3fbf48b35bc670675fe_amd64
csaf_certbundApp Connect Enterprise

…and 51 more

Timeline

  • CVE Published
  • Mar 2, 2026 Security Advisory
  • Mar 2, 2026 Security Advisory
  • Mar 2, 2026 Security Advisory
  • Mar 2, 2026 Security Advisory
  • Mar 2, 2026 Security Advisory
  • Mar 2, 2026 Security Advisory
  • Mar 2, 2026 Security Advisory
  • Mar 2, 2026 Security Advisory
  • Mar 2, 2026 Security Advisory
  • Mar 21, 2026 Security Advisory
Open in Interactive Console →
$ Console Community · 100/wk Open console ›