CVE Catalog

CVE-2026-54911

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.27%

19th percentile — higher than 19% of all known CVEs

Summary

Vulnerability in UltraJSON library (versions before 5.13.0) allows accepting malformed or truncated UTF-8 byte sequences when encoding data using ujson.dumps(), ujson.dump(), or ujson.encode() with reject_bytes=False option. Instead of rejecting invalid data, the library silently rewrites them into different Unicode characters, leading to input validation bypass and data integrity issues.

Risk Assessment

The organization may be exposed to processing corrupted data, which can result in application errors, data integrity violations, or potential exploitation through input manipulation attacks.

Recommendation

Immediately update the UltraJSON library to version 5.13.0 or later, which contains the fix for this vulnerability.

Original NVD description (English source)

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.13.0, ujson.dumps() (or ujson.dump() or ujson.encode()) have a reject_bytes=False option. When set, they may accept malformed or truncated UTF-8 byte sequences, silently rewriting them into different Unicode characters instead of rejecting them. This leads to input validation bypass and data integrity issues. This vulnerability is fixed in 5.13.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS