Shodan
Vulnerabilities
Vulnerable Software

Vulnerability Details CVE-2026-43895

jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level, but later resolves those paths through C string operations during module and data-file lookup. This creates a mismatch between the logical import string that policy or audit code may validate and the on-disk path that jq actually opens.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 5.7%
CVSS Severity
CVSS v3 Score 4.4
Products affected by CVE-2026-43895
  • Jqlang » Jq » Version: 1.0
    cpe:2.3:a:jqlang:jq:1.0
  • Jqlang » Jq » Version: 1.1
    cpe:2.3:a:jqlang:jq:1.1
  • Jqlang » Jq » Version: 1.2
    cpe:2.3:a:jqlang:jq:1.2
  • Jqlang » Jq » Version: 1.3
    cpe:2.3:a:jqlang:jq:1.3
  • Jqlang » Jq » Version: 1.4
    cpe:2.3:a:jqlang:jq:1.4
  • Jqlang » Jq » Version: 1.5
    cpe:2.3:a:jqlang:jq:1.5
  • Jqlang » Jq » Version: 1.6
    cpe:2.3:a:jqlang:jq:1.6
  • Jqlang » Jq » Version: 1.7
    cpe:2.3:a:jqlang:jq:1.7
  • Jqlang » Jq » Version: 1.7-37-g88f01a7
    cpe:2.3:a:jqlang:jq:1.7-37-g88f01a7
  • Jqlang » Jq » Version: 1.7.1
    cpe:2.3:a:jqlang:jq:1.7.1


Products
Pricing
Contact Us

Shodan ® - All rights reserved