CVE-2026-54911

Name of the Vulnerable Software and Affected Versions UltraJSON versions prior to 5.13.0

Description The functions ujson.dumps(), ujson.dump(), and ujson.encode() contain an issue when the reject bytes variable is set to False. In this configuration, the software may accept malformed or truncated UTF-8 byte sequences and silently rewrite them into different Unicode characters instead of rejecting them. This behavior can lead to data integrity issues and the bypass of input validation if such validation is performed before serialization. Technical examples include the replacement of invalid continuation bytes with valid ones, the completion of unterminated sequences, or reading past the end of a string.

Recommendations Update to version 5.13.0. As a temporary workaround, decode bytes to strings in Python before passing them to the ujson.dumps() function.