PT-2026-39719 · Jq · Jq

Thesmartshadow

·

Published

2026-05-11

·

Updated

2026-05-29

·

CVE-2026-43895

CVSS v3.1

4.4

Medium

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions jq versions 1.8.1 and earlier
Description jq accepts embedded NUL bytes in import paths at the jq-language level, but subsequently resolves those paths using C string operations during module and data-file lookup. This results in a mismatch between the logical import string validated by policy or audit code and the actual on-disk path that the software opens.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-43895
ECHO-98FD-319D-20DC
GHSA-7Q7G-MRQ3-PHXR
OESA-2026-2424
OESA-2026-2425
OESA-2026-2426
OESA-2026-2427
OESA-2026-2487
OPENSUSE-SU-2026:10850-1

Affected Products

Jq