NUL Byte Vulnerability in jq Command-line JSON Processor
CVE-2026-43895

4.4MEDIUM

Key Information:

Vendor: Jqlang
Status: Jq
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-43895?

The jq command-line JSON processor, specifically in versions 1.8.1 and earlier, exhibits a vulnerability that allows embedded NUL bytes in import paths. This can lead to a discrepancy between the validated logical import strings and the actual on-disk paths the application opens. During module and data-file lookups, jq resolves these paths using C string operations, potentially allowing unauthorized access to files or resources being imported. Users of jq are urged to review their configurations and consider upgrading to mitigate any associated risks.

Affected Version(s)

jq <= 1.8.1

References

https://github.com/jqlang/jq/security/advisories/GHSA-7q7...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
May 4, 2026

CVE-2026-43895 Data

JSON

Jqlang

What is CVE-2026-43895?

Affected Version(s)

References

CVSS V3.1

Timeline