6.5
CVE-2026-54911
- EPSS 0.27%
- Veröffentlicht 22.06.2026 20:53:07
- Zuletzt bearbeitet 26.06.2026 20:10:54
- CVE-Watchlists
- Unerledigt
UltraJSON: Malformed/Truncated UTF-8 Accepted and Silently Rewritten in ujson.dumps()
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.13.0, ujson.dumps() (or ujson.dump() or ujson.encode()) have a reject_bytes=False option. When set, they may accept malformed or truncated UTF-8 byte sequences, silently rewriting them into different Unicode characters instead of rejecting them. This leads to input validation bypass and data integrity issues. This vulnerability is fixed in 5.13.0.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Ultrajson Project ≫ Ultrajson SwPlatformpython Version < 5.13.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.27% | 0.19 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 6.5 | 3.9 | 2.5 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
https://github.com/ultrajson/ultrajson/security/advisories/GHSA-3j69-69wj-xqx2
https://github.com/ultrajson/ultrajson/commit/169eaf36b1116fece5034ee79a7a0ef3f6deedcf
https://github.com/ultrajson/ultrajson/releases/tag/5.13.0