CVE-2026-54911
UltraJSON: Malformed/Truncated UTF-8 Accepted and Silently Rewritten in ujson.dumps()
CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
0th
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.13.0, ujson.dumps() (or ujson.dump() or ujson.encode()) have a reject_bytes=False option. When set, they may accept malformed or truncated UTF-8 byte sequences, silently rewriting them into different Unicode characters instead of rejecting them. This leads to input validation bypass and data integrity issues. This vulnerability is fixed in 5.13.0.
| CWE | CWE-20 |
| Vendor | ultrajson |
| Product | ultrajson |
| Published | Jun 22, 2026 |
Stay Ahead of the Next One
Get instant alerts for ultrajson ultrajson
Be the first to know when new medium vulnerabilities affecting ultrajson ultrajson are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Affected Versions
ultrajson / ultrajson
< 5.13.0