CVE-2026-43895
4.4
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Summary
jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level, but later resolves those paths through C string operations during module and data-file lookup. This creates a mismatch between the logical import string that policy or audit code may validate and the on-disk path that jq actually opens.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| jqlang | jq | <= 1.8.1 | affected |
Weaknesses
- CWE-20: CWE-20: Improper Input Validation
- CWE-158: CWE-158: Improper Neutralization of Null Byte or NUL Character
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.