Is there a patch available for CVE-2026-33948?

Yes, a patch is available for CVE-2026-33948. Update the affected software to the latest version immediately.

Jq CVE-2026-33948

Q: What is the CVSS score of CVE-2026-33948?

CVE-2026-33948 has a CVSS 4.0 base score of 2.9 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

LOW

Improper Input Validation (CWE-20)

2026-04-14 security-advisories@github.com

Authentication Bypass Jq

2.9

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

2.9 LOW

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Patch released

Apr 24, 2026 - 00:16 nvd

Patch available

Analysis Generated

Apr 14, 2026 - 00:25 vuln.today

Analysis Generated

Apr 14, 2026 - 00:22 vuln.today

CVE Published

Apr 14, 2026 - 00:16 nvd

LOW 2.9

DescriptionGitHub Advisory

jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen() to determine buffer length instead of the actual byte count from fgets(), causing it to truncate input at the first NUL byte and parse only the preceding prefix. This enables an attacker to craft input with a benign JSON prefix before a NUL byte followed by malicious trailing data, where jq validates only the prefix as valid JSON while silently discarding the suffix. Workflows relying on jq to validate untrusted JSON before forwarding it to downstream consumers are susceptible to parser differential attacks, as those consumers may process the full input including the malicious trailing bytes. This issue has been patched by commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b.

AnalysisAI

Input validation bypass in jq command-line JSON processor allows attackers to craft JSON with embedded NUL bytes that jq incorrectly truncates, validating only a benign prefix while silently discarding malicious trailing data. Versions before commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b are affected; the vulnerability enables parser differential attacks where jq validates hostile input as safe JSON, but downstream consumers process the complete input including injected payloads. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Craft JSON with valid prefix and NUL byte

Delivery

Submit to jq validator

Exploit

jq truncates at NUL, validates prefix only

Install

Attacker's suffix silently discarded by jq

Full input forwarded to downstream consumer

Execute

Consumer processes suffix payload

Impact

Injection or bypass succeeds