Denial of Service Vulnerability in Cpanel::JSON::XS by RURBAN
CVE-2026-9516

Currently unrated

Key Information:

Vendor

Rurban

Status
Cpanel::json::xs
Vendor
CVE Published:
3 June 2026

What is CVE-2026-9516?

The vulnerability within Cpanel::JSON::XS allows attackers to induce a denial of service by submitting input prefixed with a UTF-8 Byte Order Mark (BOM). When a decode filter callback encounters such input, an exception can be thrown, leading to a situation where the scalar's string pointer is left in an invalid state. This results in a crash of the interpreter when the scalar is later freed. By exploiting this flaw, an attacker can effectively disrupt services relying on the affected library, underlining the need for immediate patching to maintain system stability.

Affected Version(s)

Cpanel::JSON::XS 0 < 4.41

References

https://github.com/rurban/Cpanel-JSON-XS/commit/dfe1b41a3...
patch
https://metacpan.org/release/RURBAN/Cpanel-JSON-XS-4.41/c...
release-notes

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.