Every CVE whose affected-product data names Jqlang Jq, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (22)
CVE-2026-32316 — CVSS 8.2 (high): jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and…
CVE-2024-53427 — CVSS 8.1 (high): decNumberCopy in decNumber.c in jq through 1.7.1 does not properly consider that NaN is interpreted as numeric, which has a resultant…
CVE-2025-48060 — CVSS 7.5 (high): jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt`…
CVE-2023-49355 — CVSS 7.5 (high): decToString in decNumber/decNumber.c in jq 88f01a7 has a one-byte out-of-bounds write via the " []-1.2e-1111111111" input. NOTE: this is…
CVE-2026-49839 — CVSS 7.1 (high): jq is a command-line JSON processor. Prior to 1.8.2,` jq --rawfile` can turn a handled oversized-string error into invalid-state reuse and…
CVE-2026-39979 — CVSS 6.5 (medium): jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts…
CVE-2023-50246 — CVSS 6.2 (medium): jq is a command-line JSON processor. Version 1.7 is vulnerable to heap-based buffer overflow. Version 1.7.1 contains a patch for this issue.
CVE-2026-33947 — CVSS 6.2 (medium): jq is a command-line JSON processor. In versions 1.8.1 and below, functions jv_setpath(), jv_getpath(), and delpaths_sorted() in jq's…
CVE-2026-43896 — CVSS 6.2 (medium): jq is a command-line JSON processor. In 1.8.1 and earlier, unbounded recursion in jv_object_merge_recursive() allows a crafted jq program…
CVE-2026-43894 — CVSS 6.2 (medium): jq is a command-line JSON processor. In 1.8.1 and earlier, when decNumberFromString is given a number literal of INT_MAX-1 (2147483646)…
CVE-2023-50268 — CVSS 6.2 (medium): jq is a command-line JSON processor. Version 1.7 is vulnerable to stack-based buffer overflow in builds using decNumber. Version 1.7.1…
CVE-2026-39956 — CVSS 6.1 (medium): jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq's…
CVE-2026-54679 — CVSS 5.5 (medium): jq is a command-line JSON processor. Prior to 1.8.2, on 32bit system, jvp_string_append has a chance of integer/multiple overflowing and…
CVE-2026-40612 — CVSS 5.5 (medium): jq is a command-line JSON processor. In 1.8.1 and earlier, jv_contains recurses into nested arrays/objects with no depth limit. With a…
CVE-2026-41256 — CVSS 5.5 (medium): jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first…
CVE-2026-41257 — CVSS 5.5 (medium): jq is a command-line JSON processor. In 1.8.1 and earlier, the jq bytecode VM's data stack tracks its allocation size in a signed int. When…
CVE-2026-44777 — CVSS 5.5 (medium): jq is a command-line JSON processor. In 1.8.2rc1 and earlier, the ordinary module loader recurses without cycle detection when two…
CVE-2026-47770 — CVSS 5.5 (medium): jq is a command-line JSON processor. Prior to 1.8.2, comparing two sufficiently deeply nested arrays with the == operator exhausts the C…
CVE-2026-33948 — CVSS 5.3 (medium): jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input…
CVE-2026-43895 — CVSS 4.4 (medium): jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level, but…
CVE-2024-23337 — CVSS 4.3 (medium): jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning value using an index…
CVE-2025-9403 — CVSS 3.3 (low): A vulnerability was determined in jqlang jq up to 1.6. Impacted is the function run_jq_tests of the file jq_test.c of the component JSON…