Executive Summary

CVE-2026-54133 is a critical code injection vulnerability in the jmespath.php package versions prior to 2.9.1. It occurs when the JmesPath\CompilerRuntime is used with attacker-controlled JMESPath expressions. The compiler generates PHP source code by embedding parsed JMESPath function names without properly escaping them. An attacker can craft a malicious JMESPath expression that causes the generated cache file to contain executable PHP code controlled by the attacker. This malicious code is then loaded and executed by the compiler runtime, allowing arbitrary code execution with the privileges of the PHP process.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to arbitrary code execution on the server running the vulnerable jmespath.php package. An attacker who can control the JMESPath expression can inject and execute malicious PHP code, potentially compromising the entire application and server. This can result in data theft, data loss, service disruption, or full system compromise. The vulnerability is remotely exploitable without requiring any privileges or user interaction.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying if your PHP application uses the jmespath.php package with a version prior to 2.9.1 and if it employs the JmesPath\CompilerRuntime with attacker-controlled JMESPath expressions.

You can check the installed version of jmespath.php by running a command to inspect your PHP dependencies, for example:

• composer show jmespath/jmespath.php

To detect if the vulnerable CompilerRuntime is used and JP_PHP_COMPILE is enabled, you may need to review your application code or configuration for usage of JmesPath\CompilerRuntime and the JP_PHP_COMPILE setting.

Additionally, you can search for suspicious PHP cache files generated by the compiler that contain unexpected or attacker-controlled PHP code. For example, on the server, you might run:

• grep -r --include="*.php" -E "function|eval|assert" /path/to/cache/

Network detection is difficult since exploitation requires attacker-controlled JMESPath expressions; monitoring logs for unusual or unexpected JMESPath expressions or payloads may help.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading the jmespath.php package to version 2.9.1 or later, where the vulnerability is patched.

If upgrading is not immediately possible, apply the following workarounds:

• Disable the JP_PHP_COMPILE setting to prevent the compiler from generating executable PHP code.
• Avoid using JmesPath\CompilerRuntime with untrusted or attacker-controlled JMESPath expressions.
• Use the default AstRuntime for evaluating untrusted JMESPath expressions instead of the CompilerRuntime.

Ensure that any untrusted JMESPath expressions are never evaluated by the compiler runtime until the package is upgraded.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-54133 is a critical code injection vulnerability that allows an attacker to execute arbitrary PHP code within affected applications. This can lead to unauthorized access, data manipulation, or data disclosure.

Such unauthorized access or data breaches can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and mandate controls against unauthorized access and code execution.

Organizations using vulnerable versions of jmespath.php that allow attacker-controlled expressions to be compiled may risk violating these regulations if the vulnerability is exploited, potentially leading to data breaches or loss of data integrity.

Mitigations such as upgrading to version 2.9.1 or later, disabling JP_PHP_COMPILE, or avoiding the use of CompilerRuntime with untrusted expressions are necessary to maintain compliance and reduce risk.

Useful 0 Not Useful 0