CVE-2026-9563
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk29th percentile — higher than 29% of all known CVEs
Summary
In Eclipse Parsson before version 1.1.8, the JSON parser did not enforce a default maximum on the number of characters consumed while parsing a single JSON document. Applications parsing attacker-controlled JSON can be forced to consume excessive CPU and memory by processing very large documents, leading to a denial of service.
Risk Assessment
The risk is a potential DoS attack where a malicious large JSON document can exhaust server resources and disrupt application availability.
Recommendation
Immediately update Eclipse Parsson to version 1.1.8 or later, which introduces a configurable maximum parsing limit with a default of 15 million characters.
Original NVD description (English source)
In Eclipse Parsson published Maven Central artifacts before version 1.1.8, the JSON parser did not enforce a default maximum on the number of characters consumed while parsing a single JSON document. Applications that parse attacker- controlled JSON can be forced to consume excessive CPU and memory by processing very large documents, including large arrays, objects, strings, numbers, whitespace, or nested structures, resulting in a denial of service. Eclipse Parsson 1.1.8 introduces a configurable maximum parsing limit with a default limit of 15 million parser-consumed characters.

