CVE-2026-54133

Critical · CVSS 9.8

jmespath.php — Code Injection via insufficient escaping of attacker-controlled JMESPath function names in generated PHP source (RCE)

CVSS: 9.8; nvd
EPSS: —
KEV: No
Class: other; CWE-20, CWE-94, CWE-116

Description

jmespath.php allows users to use JMESPath, software for declaratively specifying how to extract elements from a JSON document, in PHP applications with PHP data structures. Versions prior to 2.9.1 can generate and execute attacker-controlled PHP code when `JmesPath\CompilerRuntime` is used with an attacker-controlled JMESPath expression. The compiler emits parsed JMESPath function names into generated PHP source without sufficient escaping. A crafted expression can cause the generated cache file to contain executable attacker-controlled PHP, which is then loaded by the compiler runtime. The issue is patched in `2.9.1` and later. As a workaround, disable `JP_PHP_COMPILE` and do not use `JmesPath\CompilerRuntime` with attacker-controlled expressions. Use the default `AstRuntime` for untrusted expressions. Applications that must continue accepting untrusted JMESPath expressions before upgrading should ensure those expressions are never evaluated by the compiler runtime.

Search profile — drives PoC discovery

Symbols JmesPath\CompilerRuntimeAstRuntimeJP_PHP_COMPILEJmesPath\CompilerRuntimejmespath.phpCompilerRuntimegenerated cache fileJMESPath expressionemit_search_profile

Keywords CVE-2026-54133jmespath.phpCompilerRuntimeJMESPath PHP code injectionGHSA-pcw8-m77r-2528jmespath php RCEJP_PHP_COMPILEAstRuntimejmespath compiler exploitjmespath.php poc

Versions: < 2.9.1

References

Status: enriched · ingested 2026-06-16T00:00:58.000Z · profiled 2026-06-16T18:20:23.035Z