HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-54133Published Modified CNA GitHub_M

CVE-2026-54133: jmespath.php has CompilerRuntime code injection via unescaped function names

jmespath.php allows users to use JMESPath, software for declaratively specifying how to extract elements from a JSON document, in PHP applications with PHP data structures. Versions prior to 2.9.1 can generate and execute attacker-controlled PHP code when `JmesPath\CompilerRuntime` is used with an attacker-controlled JMESPath expression. The compiler emits parsed JMESPath function names into generated PHP source without sufficient escaping. A crafted expression can cause the generated cache file to contain executable attacker-controlled PHP, which is then loaded by the compiler runtime. The issue is patched in `2.9.1` and later. As a workaround, disable `JP_PHP_COMPILE` and do not use `JmesPath\CompilerRuntime` with attacker-controlled expressions. Use the default `AstRuntime` for untrusted expressions. Applications that must continue accepting untrusted JMESPath expressions before upgrading should ensure those expressions are never evaluated by the compiler runtime.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a code injection vulnerability in jmespath.php, a PHP library for extracting data from JSON documents using JMESPath expressions. The flaw is reachable over the network with no authentication required, and affects applications that pass attacker-controlled JMESPath expressions to the CompilerRuntime class, which emits unescaped function names directly into generated PHP cache files. Successful exploitation gives an attacker arbitrary remote code execution on the host running the PHP application. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment the upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle jmespath.php as a Composer dependency.

Available
Triage

HarborGuard scores this finding at CVSS 9.8 Critical and weights it against each environment's compliance policy to determine urgency and routing, directing alerts to the appropriate team inbox within each customer organization.

Available
Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment jmespath/jmespath.php 2.9.1 or later is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be queued immediately upon upstream patch availability.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable code path is exposed over the network; an attacker must be able to send a crafted JMESPath expression to any application endpoint that passes user input to CompilerRuntime.

  • AuthenticationNot required

    No credentials or account are needed; any unauthenticated request carrying a malicious JMESPath expression is sufficient to trigger the vulnerability.

  • Victim interactionNot required

    No user action or social engineering is required; the attacker drives exploitation entirely through their own network request.

  • Attack complexityDetail

    The exploit is reliable and condition-free; no race condition, memory layout dependency, or special environmental state is required to achieve code injection.

Blast Radius

  • Attacker executes arbitrary PHP code in the context of the web server process, gaining full control over application logic and runtime state.
  • Attacker reads any file or secret accessible to the PHP process, including database credentials, API keys, and session tokens stored on disk or in environment variables.
  • Attacker writes or modifies files on the host filesystem reachable by the PHP process, including the application source, configuration files, and generated cache files.
  • Attacker can crash or destabilize the application process, causing a denial of service for all users of the affected service.

How HarborGuard Handles This

Available on HarborGuard: because no fix version exists for CVE-2026-54133 at this time, HarborGuard continuously re-evaluates the advisory on every ingest cycle and will trigger rebuild and auto-remediation workflows the moment jmespath.php 2.9.1 is published upstream. In the interim, customers can use HarborGuard policy controls to flag any image containing jmespath.php versions below 2.9.1 as non-compliant and block promotion to production registries. As compensating controls, network policy isolation can restrict which services are permitted to accept raw user-supplied JMESPath expressions, and teams should audit application code to confirm that untrusted input is routed only to AstRuntime and never to CompilerRuntime. Where compliance policy permits, auto-remediation customers will receive a rebuilt image, a regression test run, and a PR opened against affected workloads within minutes of the upstream patch landing.

See how HarborGuard automates this
Affected packages
  • jmespath / jmespath.php
    < 2.9.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References