Skip to main content

jq CVE-2026-47770

| EUVDEUVD-2026-39501 MEDIUM
Uncontrolled Recursion (CWE-674)
N/A vendor:alpine
6.8
CVSS 4.0 · Vendor: vendor:alpine
Share

Severity by source

Vendor (vendor:alpine) PRIMARY
6.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (vendor:alpine) · only source for this CVE.

CVSS VectorVendor: vendor:alpine

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch available
Jun 25, 2026 - 19:17 EUVD
CVSS changed
Jun 25, 2026 - 18:22 NVD
6.8 (MEDIUM)
Analysis Generated
Jun 22, 2026 - 17:01 vuln.today

DescriptionCVE.org

Alpine Linux: jq fixed in 1.8.2-r0

AnalysisAI

jq on Alpine Linux was patched in package version 1.8.2-r0, addressing an unspecified vulnerability. The nature of the flaw - whether it is a memory corruption issue, denial of service via crafted JSON input, or another class - is not disclosed in available data. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Supply crafted JSON input
Exploit
Pass input to vulnerable jq invocation
Execution
Trigger unspecified flaw
Impact
Achieve unknown impact

Vulnerability AssessmentAI

Exploitation Exploitation conditions cannot be determined from the available data - no technical description, CVSS vector, or CWE has been published. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Risk assessment is severely constrained by missing data. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario Without a published technical description, a plausible scenario would involve an attacker supplying a specially crafted JSON document to a service or script that pipes external input through jq, potentially triggering a crash or memory corruption. No proof-of-concept exploit has been identified, and this scenario is speculative based solely on jq's role as a JSON parser.
Remediation Update the jq package on Alpine Linux to version 1.8.2-r0 or later using the standard Alpine package manager: 'apk upgrade jq'. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Jq

View all
CVE-2024-53427 HIGH POC
8.1 Feb 26

decNumberCopy in decNumber.c in jq through 1.7.1 does not properly consider that NaN is interpreted as numeric, which ha

CVE-2015-8863 CRITICAL
9.8 May 06

Off-by-one error in the tokenadd function in jv_parse.c in jq allows remote attackers to cause a denial of service (cras

CVE-2025-48060 HIGH POC
7.7 May 21

jq is a command-line JSON processor. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no auth

CVE-2016-4074 HIGH POC
7.5 May 06

The jv_dump_term function in jq 1.5 allows remote attackers to cause a denial of service (stack consumption and applicat

CVE-2023-49355 HIGH POC
7.5 Dec 11

decToString in decNumber/decNumber.c in jq 88f01a7 has a one-byte out-of-bounds write via the " []-1.2e-1111111111" inpu

CVE-2023-50268 MEDIUM POC
5.5 Dec 13

jq is a command-line JSON processor. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Publ

CVE-2023-50246 MEDIUM POC
5.5 Dec 13

jq is a command-line JSON processor. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Publ

CVE-2026-32316 HIGH
8.2 Apr 13

Heap buffer overflow in jq command-line JSON processor (all versions through 1.8.1) allows remote unauthenticated attack

CVE-2026-49839 HIGH
7.1

Out-of-bounds write in the jq command-line JSON processor (CWE-787) lets a crafted JSON input corrupt memory when parsed

CVE-2026-54679 MEDIUM
6.9

jq, the command-line JSON processor, was patched in Alpine Linux with package version 1.8.2-r0. The specific vulnerabili

CVE-2026-39979 MEDIUM
6.9 Apr 13

jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() AP

CVE-2026-43894 MEDIUM
6.2 May 11

Buffer overflow in jq 1.8.1 and earlier allows local attackers to cause denial of service by providing a crafted JSON nu

Share

CVE-2026-47770 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy