Description
telejson versions prior to 6.0.0 (released 2022) are vulnerable to DOM-based Cross-Site Scripting (XSS) through unsafe deserialisation. Attacker-controlled input from the _constructor-name_ property in parsed JSON is passed directly to new Function() without sanitisation, allowing arbitrary JavaScript execution.
Recommendation
Update the telejson package to the latest compatible version. Followings are version details:
- Affected version(s): < 6.0.0
- Patched version(s): 6.0.0
References
Related Issues
- CleverTap Web SDK is vulnerable to DOM-based XSS via handleCustomHtmlPreviewPostMessageEvent function - CVE-2026-26861
- Svelte Vulnerable to XSS via DOM Clobbering of Internal Framework State - CVE-2026-42573
- CleverTap Web SDK is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage - CVE-2026-26862
- SCEditor has DOM XSS via emoticon URL/HTML injection - CVE-2026-25581
You might also like:
- Tags:
- npm
- telejson
Anything's wrong? Let us know Last updated on May 20, 2026