CVE-2026-54911 | UltraJSON is a fast JSON encoder and decoder written in pure… | CVSS 6.5 MEDIUM

Description

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.13.0, ujson.dumps() (or ujson.dump() or ujson.encode()) have a reject_bytes=False option. When set, they may accept malformed or truncated UTF-8 byte sequences, silently rewriting them into different Unicode characters instead of rejecting them. This leads to input validation bypass and data integrity issues. This vulnerability is fixed in 5.13.0.

Metadata

CVE ID: CVE-2026-54911
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-16 13:49 UTC
Published: 2026-06-22 20:53 UTC
Last updated: 2026-06-22 20:53 UTC
Primary CWE: CWE-20
CWE-20: Improper Input Validation
Vendor / Product: ultrajson / ultrajson
Sources: cve.org · NVD

Severity & Metrics

6.5 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Affected products (1)

Vendor	Product	Platform	Versions
ultrajson	ultrajson	—	< 5.13.0

Weakness (CWE)

CWE	Source	Description
CWE-20	cna	CWE-20: Improper Input Validation

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.5	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References (3)

https://github.com/ultrajson/ultrajson/security/advisories/GHSA-3j69-69wj-xqx2 https://github.com/ultrajson/ultrajson/security/advisories/GHSA-3j69-69wj-xqx2
https://github.com/ultrajson/ultrajson/commit/169eaf36b1116fece5034ee79a7a0ef3f6deedcf https://github.com/ultrajson/ultrajson/commit/169eaf36b1116fece5034ee79a7a0ef3f6deedcf
https://github.com/ultrajson/ultrajson/releases/tag/5.13.0 https://github.com/ultrajson/ultrajson/releases/tag/5.13.0