#1140630 ujson: CVE-2026-54911

Package:
src:ujson
Source:
src:ujson
Submitter:
Salvatore Bonaccorso
Date:
2026-06-23 19:19:03 UTC
Severity:
normal
Tags:
#1140630#5
Date:
2026-06-23 19:17:56 UTC
From:
To:
Hi,

The following vulnerability was published for ujson.

CVE-2026-54911[0]:
| UltraJSON is a fast JSON encoder and decoder written in pure C with
| bindings for Python 3.7+. Prior to 5.13.0, ujson.dumps() (or
| ujson.dump() or ujson.encode()) have a reject_bytes=False option.
| When set, they may accept malformed or truncated UTF-8 byte
| sequences, silently rewriting them into different Unicode characters
| instead of rejecting them. This leads to input validation bypass and
| data integrity issues. This vulnerability is fixed in 5.13.0.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-54911
https://www.cve.org/CVERecord?id=CVE-2026-54911
[1] https://github.com/ultrajson/ultrajson/security/advisories/GHSA-3j69-69wj-xqx2
[2] https://github.com/ultrajson/ultrajson/commit/169eaf36b1116fece5034ee79a7a0ef3f6deedcf

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore