Improper input validation in Jqlang Jq

CVE-2026-33948

jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses st…

EPSS: 0.001 (33.3th percentile) — read the EPSS interpretation.

Affected products

Jqlang Jq — versions < 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b

Weakness classification (CWE)

References

https://github.com/jqlang/jq/security/advisories/GHSA-32cx-cvvh-2wj9 (x_refsource_CONFIRM)
https://github.com/jqlang/jq/commit/6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b (x_refsource_MISC)