PT-2026-39719 · Jq · Jq
Thesmartshadow
·
Published
2026-05-11
·
Updated
2026-05-29
·
CVE-2026-43895
CVSS v3.1
4.4
Medium
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
jq versions 1.8.1 and earlier
Description
jq accepts embedded NUL bytes in import paths at the jq-language level, but subsequently resolves those paths using C string operations during module and data-file lookup. This results in a mismatch between the logical import string validated by policy or audit code and the actual on-disk path that the software opens.
Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Jq