JSON Processor Vulnerability in jq Affects Command-Line Parsing
CVE-2026-33948

2.9LOW

Key Information:

Vendor: Jqlang
Status: Jq
Vendor: CVE Published:; 13 April 2026

What is CVE-2026-33948?

The jq command-line JSON processor experiences a vulnerability that allows for input validation bypass due to faulty command-line input parsing. Specifically, versions prior to a certain commit truncate input at the first embedded NUL byte, leading to potential parser differential attacks. Attackers can exploit this flaw by providing a benign JSON prefix followed by malicious data, enabling valid JSON validation while disregarding harmful subsequent content. This vulnerability creates risks in workflows that rely on jq, as malicious input can be passed to downstream systems that may not perform adequate validation, heightening the risk of data processing issues and security breaches.

Affected Version(s)

jq < 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b

References

https://github.com/jqlang/jq/security/advisories/GHSA-32c...

x_refsource_CONFIRM

https://github.com/jqlang/jq/commit/6374ae0bcdfe33a18eb0a...

x_refsource_MISC

CVSS V4

Score:

2.9

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 13, 2026
Vulnerability Reserved
Mar 24, 2026

CVE-2026-33948 Data

JSON

Jqlang

What is CVE-2026-33948?

Affected Version(s)

References

CVSS V4

Timeline