CVE-2026-47099 LOW

CVE-2026-47099: TeleJSON < 6.0.0 DOM-based XSS via parse() Function

Vendor Storybookjs

Product telejson

Weakness CWE-79 · XSS

Published May 20, 2026

Last update May 21, 2026

View on NVD All CVEs

CVSS base score

2.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse() function that allows attackers to execute arbitrary JavaScript by delivering a crafted JSON payload containing a malicious _constructor-name_ property value. The custom reviver passes the constructor name directly to new Function() without sanitization when recreating object prototypes, enabling attackers to inject arbitrary JavaScript through vectors such as postMessage in cross-frame communication contexts to achieve script execution within the application.

Key dates

02Disclosure timeline

May 20, 2026 CVE published

May 21, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-47099

Related vulnerabilities

CVE-2026-47099: TeleJSON < 6.0.0 DOM-based XSS via parse() Function

01Description

02Disclosure timeline

03References

04Related CVE