Jqlang Jq vulnerabilities
26 known vulnerabilities affecting jqlang/jq.
Total CVEs
26
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH7MEDIUM18
Vulnerabilities
Page 2 of 2
CVE-2026-41257P4MEDIUMCVSS 5.5≤ 1.8.12026-05-11
CVE-2026-41257 [MEDIUM] CWE-190 CVE-2026-41257: jq is a command-line JSON processor. In 1.8.1 and earlier, the jq bytecode VM's data stack tracks it
jq is a command-line JSON processor. In 1.8.1 and earlier, the jq bytecode VM's data stack tracks its allocation size in a signed int. When the stack grows beyond ≈1 GiB (via deeply nested generator forks), the doubling arithmetic overflows. The wrapped value is passed to realloc and then used for a memmove with attacker-influenced offsets.
nvd
CVE-2026-54679P4MEDIUMCVSS 5.5fixed in 1.8.22026-06-25
CVE-2026-54679 [MEDIUM] CWE-190 CVE-2026-54679: jq is a command-line JSON processor. Prior to 1.8.2, on 32bit system, jvp_string_append has a chance
jq is a command-line JSON processor. Prior to 1.8.2, on 32bit system, jvp_string_append has a chance of integer/multiple overflowing and then causing a massive buffer overrun. This vulnerability is fixed in 1.8.2.
nvd
CVE-2023-50246P4MEDIUMCVSS 5.5v1.7v= 1.72023-12-13
CVE-2023-50246 [MEDIUM] CWE-120 CVE-2023-50246: jq is a command-line JSON processor. Version 1.7 is vulnerable to heap-based buffer overflow. Versio
jq is a command-line JSON processor. Version 1.7 is vulnerable to heap-based buffer overflow. Version 1.7.1 contains a patch for this issue.
nvdosv
CVE-2026-43895P4MEDIUMCVSS 4.4≤ 1.8.12026-05-11
CVE-2026-43895 [MEDIUM] CWE-20 CVE-2026-43895: jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import p
jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level, but later resolves those paths through C string operations during module and data-file lookup. This creates a mismatch between the logical import string that policy or audit code may validate and the on-disk path that jq
nvd
CVE-2026-40612P4MEDIUMCVSS 5.5≤ 1.8.12026-05-11
CVE-2026-40612 [MEDIUM] CWE-674 CVE-2026-40612: jq is a command-line JSON processor. In 1.8.1 and earlier, jv_contains recurses into nested arrays/o
jq is a command-line JSON processor. In 1.8.1 and earlier, jv_contains recurses into nested arrays/objects with no depth limit. With a sufficiently nested input structure (built programmatically with reduce, since the JSON parser caps at depth 10000), the C stack is exhausted.
nvd
CVE-2026-44777P4MEDIUMCVSS 5.5≤ 1.8.22026-05-11
CVE-2026-44777 [MEDIUM] CWE-674 CVE-2026-44777: jq is a command-line JSON processor. In 1.8.2rc1 and earlier, the ordinary module loader recurses wi
jq is a command-line JSON processor. In 1.8.2rc1 and earlier, the ordinary module loader recurses without cycle detection when two
otherwise valid modules include each other.
nvd
← Previous2 / 2