{"id":"CVE-2026-54133","summary":"jmespath.php has CompilerRuntime code injection via unescaped function names","details":"jmespath.php allows users to use JMESPath, software for declaratively specifying how to extract elements from a JSON document, in PHP applications with PHP data structures. Versions prior to 2.9.1 can generate and execute attacker-controlled PHP code when `JmesPath\\CompilerRuntime` is used with an attacker-controlled JMESPath expression. The compiler emits parsed JMESPath function names into generated PHP source without sufficient escaping. A crafted expression can cause the generated cache file to contain executable attacker-controlled PHP, which is then loaded by the compiler runtime. The issue is patched in `2.9.1` and later. As a workaround, disable `JP_PHP_COMPILE` and do not use `JmesPath\\CompilerRuntime` with attacker-controlled expressions. Use the default `AstRuntime` for untrusted expressions. Applications that must continue accepting untrusted JMESPath expressions before upgrading should ensure those expressions are never evaluated by the compiler runtime.","aliases":["GHSA-pcw8-m77r-2528"],"modified":"2026-07-08T08:13:42.843336703Z","published":"2026-06-12T13:56:37.874Z","related":["CGA-pjf7-q3vg-8mfm"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54133.json","cwe_ids":["CWE-116","CWE-20","CWE-94"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54133.json"},{"type":"ADVISORY","url":"https://github.com/jmespath/jmespath.php/security/advisories/GHSA-pcw8-m77r-2528"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-54133"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jmespath/jmespath.php","events":[{"introduced":"0"},{"fixed":"9c208ba27ae7d90853c288b3795d6702eb251d34"}],"database_specific":{"source":["AFFECTED_FIELD","CPE_RANGE"],"extracted_events":[{"introduced":"0"},{"fixed":"2.9.1"}],"cpe":"cpe:2.3:a:jmespath:jmespath:*:*:*:*:*:php:*:*"}}],"versions":["2.9.0","2.8.0","2.7.0","2.6.1","2.6.0","2.5.0","2.4.0","2.3.0","2.2.0","2.1.0","2.0.0","1.1.1","1.1.0","1.0.0","0.4.0","0.3.0","0.2.0","0.1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54133.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}