CVE-2026-44777

<= 1.8.2

jq is a command-line JSON processor. In 1.8.2rc1 and earlier, the ordinary module loader recurses without cycle detection when two

5.5MEDIUM

CVE-2026-43896

<= 1.8.1

jq is a command-line JSON processor. In 1.8.1 and earlier, unbounded recursion in jv_object_merge_recursive() allows a crafted jq

6.2MEDIUM

CVE-2026-43895

<= 1.8.1

jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level,

4.4MEDIUM

CVE-2026-43894

<= 1.8.1

jq is a command-line JSON processor. In 1.8.1 and earlier, when decNumberFromString is given a number literal of INT_MAX-1 (214748

6.2MEDIUM

CVE-2026-41257

<= 1.8.1

jq is a command-line JSON processor. In 1.8.1 and earlier, the jq bytecode VM's data stack tracks its allocation size in a signed

5.5MEDIUM

CVE-2026-41256

<= 1.8.1

jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the f

5.5MEDIUM

CVE-2026-40612

<= 1.8.1

jq is a command-line JSON processor. In 1.8.1 and earlier, jv_contains recurses into nested arrays/objects with no depth limit. Wi

5.5MEDIUM

CVE-2026-33948

< 2026-04-12

jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI inp

5.3MEDIUM

CVE-2026-39979

< 2026-04-12

jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq

6.5MEDIUM

CVE-2026-39956

>= 2026-04-02 and < 2026-04-08

jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq's sr

6.1MEDIUM

CVE-2026-33947

<= 1.8.1

jq is a command-line JSON processor. In versions 1.8.1 and below, functions jv_setpath(), jv_getpath(), and delpaths_sorted() in j

6.2MEDIUM

CVE-2026-32316

<= 1.8.1

jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append()

8.2HIGH

CVE-2025-9403

<= 1.6

A vulnerability was determined in jqlang jq up to 1.6. Impacted is the function run_jq_tests of the file jq_test.c of the componen

3.3LOW

CVE-2025-48060

<= 1.7.1

jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_stri

7.5HIGH

CVE-2024-23337

<= 1.7.1

jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning value using

4.3MEDIUM

CVE-2024-53427

<= 1.7.1

decNumberCopy in decNumber.c in jq through 1.7.1 does not properly consider that NaN is interpreted as numeric, which has a result

8.1HIGH

CVE-2023-50268

all versions

jq is a command-line JSON processor. Version 1.7 is vulnerable to stack-based buffer overflow in builds using decNumber. Version 1

6.2MEDIUM

CVE-2023-50246

all versions

jq is a command-line JSON processor. Version 1.7 is vulnerable to heap-based buffer overflow. Version 1.7.1 contains a patch for t

6.2MEDIUM

CVE-2023-49355

all versions

decToString in decNumber/decNumber.c in jq 88f01a7 has a one-byte out-of-bounds write via the " []-1.2e-1111111111" input. NOTE: t

7.5HIGH

CVE-2016-4074

<= 1.5

The jv_dump_term function in jq 1.5 allows remote attackers to cause a denial of service (stack consumption and application crash)

7.5HIGH

CVE-2015-8863

<= 1.5

Off-by-one error in the tokenadd function in jv_parse.c in jq allows remote attackers to cause a denial of service (crash) via a l

9.8CRITICAL