Input Validation Issue in UltraJSON by UltraJSON
CVE-2026-54911

6.5MEDIUM

Key Information:

Vendor

Ultrajson

Status
Ultrajson
Vendor
CVE Published:
22 June 2026

What is CVE-2026-54911?

Prior to version 5.13.0, UltraJSON, a JSON encoder and decoder, had an input validation flaw that allowed the functions ujson.dumps(), ujson.dump(), and ujson.encode() to accept malformed or truncated UTF-8 byte sequences when the reject_bytes option was set to False. This oversight resulted in the silent rewriting of such sequences into different Unicode characters, posing risks to data integrity and allowing for input validation bypass. Users are strongly advised to upgrade to version 5.13.0 or later to mitigate these issues.

Affected Version(s)

ultrajson < 5.13.0

References

https://github.com/ultrajson/ultrajson/security/advisorie...
x_refsource_CONFIRM
https://github.com/ultrajson/ultrajson/commit/169eaf36b11...
x_refsource_MISC
https://github.com/ultrajson/ultrajson/releases/tag/5.13.0
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.