Jqlang Jq
20 CVEs affecting Jqlang Jq. Latest disclosed: 2026-05-11. Critical: 0, High: 3.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-32316 | High | 8.2 | 2026-04-13 | jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_copy_replace_… |
CVE-2024-53427 | High | 8.1 | 2025-02-26 | decNumberCopy in decNumber.c in jq through 1.7.1 does not properly consider that NaN is interpreted as numeric, which has a resultant stack-based buffer overfl… |
CVE-2026-40164 | High | 7.5 | 2026-04-14 | jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432… |
CVE-2026-43896 | Medium | 6.2 | 2026-05-11 | jq is a command-line JSON processor. In 1.8.1 and earlier, unbounded recursion in jv_object_merge_recursive() allows a crafted jq program to crash the process… |
CVE-2026-43894 | Medium | 6.2 | 2026-05-11 | jq is a command-line JSON processor. In 1.8.1 and earlier, when decNumberFromString is given a number literal of INT_MAX-1 (2147483646) digits, the D2U() macro… |
CVE-2026-33947 | Medium | 6.2 | 2026-04-13 | jq is a command-line JSON processor. In versions 1.8.1 and below, functions jv_setpath(), jv_getpath(), and delpaths_sorted() in jq's src/jv_aux.c use unbounde… |
CVE-2023-50268 | Medium | 6.2 | 2023-12-13 | jq is a command-line JSON processor. Version 1.7 is vulnerable to stack-based buffer overflow in builds using decNumber. Version 1.7.1 contains a patch for thi… |
CVE-2023-50246 | Medium | 6.2 | 2023-12-13 | jq is a command-line JSON processor. Version 1.7 is vulnerable to heap-based buffer overflow. Version 1.7.1 contains a patch for this issue. |
CVE-2026-39956 | Medium | 6.1 | 2026-04-13 | jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq's src/builtin.c passes its argume… |
CVE-2026-44777 | Medium | 5.5 | 2026-05-11 | jq is a command-line JSON processor. In 1.8.2rc1 and earlier, the ordinary module loader recurses without cycle detection when two otherwise valid modules incl… |
CVE-2026-41257 | Medium | 5.5 | 2026-05-11 | jq is a command-line JSON processor. In 1.8.1 and earlier, the jq bytecode VM's data stack tracks its allocation size in a signed int. When the stack grows bey… |
CVE-2026-41256 | Medium | 5.5 | 2026-05-11 | jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on cur… |
CVE-2026-40612 | Medium | 5.5 | 2026-05-11 | jq is a command-line JSON processor. In 1.8.1 and earlier, jv_contains recurses into nested arrays/objects with no depth limit. With a sufficiently nested inpu… |
CVE-2026-43895 | Medium | 4.4 | 2026-05-11 | jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level, but later resolves those pat… |
CVE-2024-23337 | Medium | 4.3 | 2025-05-21 | jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning value using an index of 2147483647, the s… |
CVE-2025-9403 | Low | 3.3 | 2025-08-25 | A vulnerability was determined in jqlang jq up to 1.6. Impacted is the function run_jq_tests of the file jq_test.c of the component JSON Parser. Executing mani… |
CVE-2026-33948 | | 2026-04-13 | jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation… | |
CVE-2026-39979 | | 2026-04-13 | jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer wit… | |
CVE-2025-49014 | | 2025-06-19 | jq is a command-line JSON processor. In version 1.8.0 a heap use after free vulnerability exists within the function f_strflocaltime of /src/builtin.c. This is… | |
CVE-2025-48060 | | 2025-05-21 | jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execu… |