jmespath.php allows users to use JMESPath, software for declaratively specifying how to extract elements from a JSON document, in PHP applications with PHP data structures. Versions prior to 2.9.1 can generate and execute attacker-controlled PHP code when JmesPath\CompilerRuntime is used with an attacker-controlled JMESPath expression. The compiler emits parsed JMESPath function names into generated PHP source without sufficient escaping. A crafted expression can cause the generated cache file to contain executable attacker-controlled PHP, which is then loaded by the compiler runtime. The issue is patched in 2.9.1 and later. As a workaround, disable JP_PHP_COMPILE and do not use JmesPath\CompilerRuntime with attacker-controlled expressions. Use the default AstRuntime for untrusted expressions. Applications that must continue accepting untrusted JMESPath expressions before upgrading should ensure those expressions are never evaluated by the compiler runtime.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54133.json",
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-116",
"CWE-20",
"CWE-94"
]
}{
"source": [
"AFFECTED_FIELD",
"CPE_RANGE"
],
"cpe": "cpe:2.3:a:jmespath:jmespath:*:*:*:*:*:php:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "2.9.1"
}
]
}