CVE-2026-43895
published 2026-05-11CVE-2026-43895: jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level, but later resolves those…
PriorityP420medium4.4CVSS 3.1
AVLACLPRLUINSUCLILAN
EPSS
0.16%
5.3th percentile
jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level, but later resolves those paths through C string operations during module and data-file lookup. This creates a mismatch between the logical import string that policy or audit code may validate and the on-disk path that jq actually opens.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform-26 | controller-rhel9 | — | — |
| ansible-automation-platform-26 | hub-rhel9 | — | — |
| jqlang | jq | <= 1.8.1 | — |
| jqlang | jq | — | — |
CVSS provenance
nvdv3.14.4MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
vendor_redhat4.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
jqlang jq up to 1.8.1 input validation (GHSA-7q7g-mrq3-phxr)
vuldb·2026-05-11·CVSS 4.4
CVE-2026-43895 [MEDIUM] jqlang jq up to 1.8.1 input validation (GHSA-7q7g-mrq3-phxr)
A vulnerability classified as problematic has been found in jqlang jq up to 1.8.1. Impacted is an unknown function. Performing a manipulation results in improper input validation.
This vulnerability is reported as CVE-2026-43895. The attack requires a local approach. No exploit exists.
Red Hat
jq: embedded NUL in jq import paths causes local redaction-policy bypass and preserves sensitive fields in published artifacts
vendor_redhat·2026-05-11·CVSS 4.4
CVE-2026-43895 [MEDIUM] CWE-20 jq: embedded NUL in jq import paths causes local redaction-policy bypass and preserves sensitive fields in published artifacts
jq: embedded NUL in jq import paths causes local redaction-policy bypass and preserves sensitive fields in published artifacts
A flaw was found in jq, a command line JSON processor. Embedded NUL bytes in import paths are truncated during module and data-file lookup, creating a mismatch between the intended import string and the actual file path opened. This issue allows an attacker who can supply a crafted script to access unintended files.
Statement: To exploit this flaw, an attacker needs to supply a crafted script containing embedded NUL bytes in import paths to be processed by jq. This allows the attacker to bypass intended path validation mechanisms and access unintended files. Due to these reasons, this issue has been rated with a moderate severity.
Mitigation: Do not process untr
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-43895 jq: embedded NUL in jq import paths causes local redaction-policy bypass and preserves sensitive fields in published artifacts [fedora-all]
bugzilla·2026-05-14·CVSS 4.4
CVE-2026-43895 [MEDIUM] CVE-2026-43895 jq: embedded NUL in jq import paths causes local redaction-policy bypass and preserves sensitive fields in published artifacts [fedora-all]
CVE-2026-43895 jq: embedded NUL in jq import paths causes local redaction-policy bypass and preserves sensitive fields in published artifacts [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-43895 jq: embedded NUL in jq import paths causes local redaction-policy bypass and preserves sensitive fields in published artifacts
bugzilla·2026-05-11·CVSS 4.4
CVE-2026-43895 [MEDIUM] CVE-2026-43895 jq: embedded NUL in jq import paths causes local redaction-policy bypass and preserves sensitive fields in published artifacts
CVE-2026-43895 jq: embedded NUL in jq import paths causes local redaction-policy bypass and preserves sensitive fields in published artifacts
jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level, but later resolves those paths through C string operations during module and data-file lookup. This creates a mismatch between the logical import string that policy or audit code may validate and the on-disk path that jq actually opens.
2026-05-11
Published