Circular Dependency Vulnerability in jq Command-Line JSON Processor
CVE-2026-44777

5.4MEDIUM

Key Information:

Vendor: Jqlang
Status: Jq
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-44777?

In jq, a command-line JSON processor, a vulnerability exists due to the ordinary module loader's inability to detect cycles when two valid modules reference each other. Versions 1.8.2rc1 and earlier are affected, allowing unintended recursion which can lead to performance degradation and potential service disruptions. It is crucial for users of jq to monitor their installations and apply necessary patches or updates to mitigate the risk associated with this vulnerability.

Affected Version(s)

jq <= 1.8.2rc1

References

https://github.com/jqlang/jq/security/advisories/GHSA-rmp...

x_refsource_CONFIRM

CVSS V4

Score:

5.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
May 7, 2026

CVE-2026-44777 Data

JSON

Jqlang

What is CVE-2026-44777?

Affected Version(s)

References

CVSS V4

Timeline