All versions of jsonpath have known vulnerability.

The CVE states <1.2.0 but reports state that all versions are vulnerable https://nvd.nist.gov/vuln/detail/CVE-2026-1615 

> Developers are strongly advised to migrate to a secure alternative (such as jsonpath-plus or similar libraries that do not use eval/static-eval) or strictly validate all JSON Path inputs against a known allowlist.