{"id":"CVE-2026-33210","summary":"Ruby JSON has a format string injection vulnerability","details":"Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.","aliases":["GHSA-3m6g-2423-7cp3"],"modified":"2026-05-18T05:59:58.895087497Z","published":"2026-03-20T22:57:08.758Z","related":["CGA-g4ff-hqx9-2xp5"],"database_specific":{"cwe_ids":["CWE-134"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33210.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33210.json"},{"type":"ADVISORY","url":"https://github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33210"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ruby/json","events":[{"introduced":"1cdd2122d537d93b32d554dd013f607148291ba4"},{"fixed":"54f8a878aebee090476a53c851c943128894be62"}]}],"versions":["v2.19.1","v2.19.0","v2.18.1","v2.18.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-33210.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N"}]}