Main Vulnerability Database Vulnerabilities #VU134738

Input validation error in ultrajson - CVE-2026-54911

Published: June 17, 2026

Vulnerability identifier: #VU134738

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-54911

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: ultrajson

Affected software:
ultrajson

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass input validation and alter serialized data integrity.

The vulnerability exists due to improper input validation in ujson.dumps(), ujson.dump(), and ujson.encode() when processing malformed or truncated UTF-8 byte sequences with reject_bytes=False. A remote attacker can supply crafted byte sequences to bypass input validation and alter serialized data integrity.

The issue occurs only when the reject_bytes=False option is used.

How to mitigate CVE-2026-54911

Install security update from vendor's website.

Input validation error in ultrajson - CVE-2026-54911

Detailed vulnerability description

How to mitigate CVE-2026-54911

Sources

Please verify you're human