Vulnerability Details CVE-2026-54911
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.13.0, ujson.dumps() (or ujson.dump() or ujson.encode()) have a reject_bytes=False option. When set, they may accept malformed or truncated UTF-8 byte sequences, silently rewriting them into different Unicode characters instead of rejecting them. This leads to input validation bypass and data integrity issues. This vulnerability is fixed in 5.13.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 19.0%
CVSS Severity
CVSS v3 Score 6.5
References
Products affected by CVE-2026-54911
-
cpe:2.3:a:ultrajson_project:ultrajson:1.19
-
cpe:2.3:a:ultrajson_project:ultrajson:1.34
-
cpe:2.3:a:ultrajson_project:ultrajson:1.35
-
cpe:2.3:a:ultrajson_project:ultrajson:2.0.0
-
cpe:2.3:a:ultrajson_project:ultrajson:2.0.1
-
cpe:2.3:a:ultrajson_project:ultrajson:2.0.2
-
cpe:2.3:a:ultrajson_project:ultrajson:2.0.3
-
cpe:2.3:a:ultrajson_project:ultrajson:3.0.0
-
cpe:2.3:a:ultrajson_project:ultrajson:3.1.0
-
cpe:2.3:a:ultrajson_project:ultrajson:3.2.0
-
cpe:2.3:a:ultrajson_project:ultrajson:4.0.0
-
cpe:2.3:a:ultrajson_project:ultrajson:4.0.1
-
cpe:2.3:a:ultrajson_project:ultrajson:4.0.2
-
cpe:2.3:a:ultrajson_project:ultrajson:4.1.0
-
cpe:2.3:a:ultrajson_project:ultrajson:4.2.0
-
cpe:2.3:a:ultrajson_project:ultrajson:4.3.0
-
cpe:2.3:a:ultrajson_project:ultrajson:5.0.0
-
cpe:2.3:a:ultrajson_project:ultrajson:5.1.0
-
cpe:2.3:a:ultrajson_project:ultrajson:5.10.0
-
cpe:2.3:a:ultrajson_project:ultrajson:5.11.0
-
cpe:2.3:a:ultrajson_project:ultrajson:5.12.0
-
cpe:2.3:a:ultrajson_project:ultrajson:5.2.0
-
cpe:2.3:a:ultrajson_project:ultrajson:5.3.0
-
cpe:2.3:a:ultrajson_project:ultrajson:5.4.0
-
cpe:2.3:a:ultrajson_project:ultrajson:5.5.0
-
cpe:2.3:a:ultrajson_project:ultrajson:5.6.0
-
cpe:2.3:a:ultrajson_project:ultrajson:5.7.0
-
cpe:2.3:a:ultrajson_project:ultrajson:5.8.0
-
cpe:2.3:a:ultrajson_project:ultrajson:5.9.0