CVE-2026-12208

MEDIUM 5.3

jsonata-js jsonata Function Binding Frame System jsonata.js createFrame prototype pollution

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

A weakness has been identified in jsonata-js jsonata up to 2.2.0. The affected element is the function createFrame of the file src/jsonata.js of the component Function Binding Frame System. This manipulation causes improperly controlled modification of object prototype attributes. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CWE	CWE-1321 CWE-94
Vendor	jsonata-js
Product	jsonata
Published	Jun 15, 2026

Stay Ahead of the Next One

Get instant alerts for jsonata-js jsonata

Be the first to know when new medium vulnerabilities affecting jsonata-js jsonata are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

jsonata-js / jsonata

2.0 2.1 2.2.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/vuln/370850 vuldb.com: https://vuldb.com/vuln/370850/cti vuldb.com: https://vuldb.com/cve/CVE-2026-12208 vuldb.com: https://vuldb.com/submit/832446 github.com: https://github.com/OriginSecurityX/jsonata-hasownproperty-bypass

Credits

🔍 Frederick (VulDB User) VulDB CNA Team