CVE-2026-43895

ADVISORY - nist

Summary

jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level, but later resolves those paths through C string operations during module and data-file lookup. This creates a mismatch between the logical import string that policy or audit code may validate and the on-disk path that jq actually opens.

EPSS Score⁠: 0.00017 (0.045)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-158⁠

Improper Neutralization of Null Byte or NUL Character

CWE-20⁠

Improper Input Validation

Impacted images

Advisories

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.