Format String Injection Vulnerability in Ruby JSON by Ruby
CVE-2026-33210

8.3HIGH

Key Information:

Vendor: Ruby
Status: Json
Vendor: CVE Published:; 20 March 2026

What is CVE-2026-33210?

A format string injection vulnerability exists in Ruby JSON, which affects versions 2.14.0 through just prior to 2.15.2.1, 2.17.1.2, and 2.19.2. When parsing user-supplied documents with the 'allow_duplicate_key: false' option, this vulnerability can potentially lead to denial-of-service attacks or disclosure of sensitive information. Users are highly encouraged to update to patched versions, ensuring robust security and functionality.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

json >= 2.14.0, < 2.15.2.1 < 2.14.0, 2.15.2.1

json >= 2.16.0, < 2.17.1.2 < 2.16.0, 2.17.1.2

json >= 2.18.0, < 2.19.2 < 2.18.0, 2.19.2

References

https://github.com/ruby/json/security/advisories/GHSA-3m6...

x_refsource_CONFIRM

CVSS V4

Score:

8.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2026
Vulnerability Reserved
Mar 17, 2026

JSON

Ruby