Type Confusion Vulnerability in Cpanel::JSON::XS by Rurban
CVE-2026-9334

Currently unrated

Key Information:

Vendor: Rurban
Status: Cpanel::json::xs
Vendor: CVE Published:; 3 June 2026

What is CVE-2026-9334?

The Cpanel::JSON::XS Perl module prior to version 4.41 is susceptible to a type confusion vulnerability when dupkeys_as_arrayref is enabled. This allows attackers to exploit the behavior of the decode_hv() function, where duplicate object keys are processed incorrectly. If untrusted JSON is decoded with this configuration, it can lead to execution of code with potentially harmful effects. Specifically, the flaw arises when dereferencing a non-reference scalar as a reference, resulting in crashes or unintended access to attacker-controlled data, which may compromise system integrity.

Affected Version(s)

Cpanel::JSON::XS 0 < 4.41

References

https://github.com/rurban/Cpanel-JSON-XS/commit/11a7c550a...

patch

https://metacpan.org/release/RURBAN/Cpanel-JSON-XS-4.41/c...

release-notes

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 3, 2026
Vulnerability Reserved
May 22, 2026

CVE-2026-9334 Data

JSON