PT-2026-26298 · Rubygems · Json
Published
2026-03-19
·
Updated
2026-03-19
·
CVE-2026-33210
CVSS v4.0
8.3
High
| AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N |
Impact
A format string injection vulnerability than that lead to denial of service attacks or information disclosure, when the
allow duplicate key: false parsing option is used to parse user supplied documents.This option isn't the default, if you didn't opt-in to use it, you are not impacted.
Patches
Patched in
2.19.2.Workarounds
The issue can be avoided by not using the
allow duplicate key: false parsing option.Fix
Use of Externally-Controlled Format String
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Json