VYPR
← All advisories
Medium severity6.1GHSA Advisory· Published May 20, 2026

CVE-2026-47099

CVE-2026-47099

Description

TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse() function that allows attackers to execute arbitrary JavaScript by delivering a crafted JSON payload containing a malicious _constructor-name_ property value. The custom reviver passes the constructor name directly to new Function() without sanitization when recreating object prototypes, enabling attackers to inject arbitrary JavaScript through vectors such as postMessage in cross-frame communication contexts to achieve script execution within the application.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

TeleJSON versions prior to 6.0.0 are vulnerable to DOM-based XSS via the parse() function, allowing arbitrary JavaScript execution through crafted JSON payloads.

Vulnerability

TeleJSON prior to version 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse() function. When reconstructing JavaScript objects from serialized JSON, the custom reviver passes the value of the _constructor-name_ property directly to new Function() without sanitization, enabling injection of arbitrary JavaScript code [1][2][3][4].

Exploitation

An attacker can deliver a crafted JSON payload containing a malicious _constructor-name_ value to the telejson.parse() function. This can be achieved, for example, via postMessage in cross-frame communication contexts. The attacker does not need authentication; user interaction may be required depending on the delivery vector. The payload is passed to new Function() which executes the injected code [2][3].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the application using the vulnerable TeleJSON version. This could lead to session hijacking, credential theft, or other malicious actions depending on the application's permissions and data accessibility [2][3].

Mitigation

The vulnerability is fixed in TeleJSON version 6.0.0, released in 2022 [1][2][3]. The fix introduces sanitization of the constructor name using a regular expression to strip non-word characters, and gates the vulnerable code path behind an allowFunction option. Users should upgrade to version 6.0.0 or later. No workarounds are provided for earlier versions [2][3].

References
  1. GitHub - storybookjs/telejson: 🛰 JSON parse & stringify with support for cyclic objects, functions, dates, regex, infinity, undefined, null, NaN, Classes, Instances
  2. CVE-2026-47099 - GitHub Advisory Database
  3. DOM XSS via unsanitised constructor name in `new Function()` (Fixed in 6.0.0, released in 2022)
  4. TeleJSON < 6.0.0 DOM-based XSS via parse() Function

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Storybook/TelejsonGHSA2 versions
    < 6.0.0+ 1 more
    • (no CPE)range: < 6.0.0
    • (no CPE)range: <6.0.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.