CVE-2026-47099

MEDIUM 6.1

TeleJSON < 6.0.0 DOM-based XSS via parse() Function

CVSS Score

6.1

EPSS Score

0.0%

EPSS Percentile

0th

TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse() function that allows attackers to execute arbitrary JavaScript by delivering a crafted JSON payload containing a malicious _constructor-name_ property value. The custom reviver passes the constructor name directly to new Function() without sanitization when recreating object prototypes, enabling attackers to inject arbitrary JavaScript through vectors such as postMessage in cross-frame communication contexts to achieve script execution within the application.

CWE	CWE-79
Vendor	storybookjs
Product	telejson
Published	May 20, 2026
Last Updated	May 20, 2026

Stay Ahead of the Next One

Get instant alerts for storybookjs telejson

Be the first to know when new medium vulnerabilities affecting storybookjs telejson are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

storybookjs / telejson

0 < 6.0.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/storybookjs/telejson/security/advisories/GHSA-ccgf-5rwj-j3hv vulncheck.com: https://www.vulncheck.com/advisories/telejson-dom-based-xss-via-parse-function

Credits

Niccolò Parlanti