VYPR
High severityNVD Advisory· Published Mar 20, 2026· Updated Mar 23, 2026

Ruby JSON has a format string injection vulnerability

CVE-2026-33210

Description

Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
jsonRubyGems
>= 2.18.0, < 2.19.22.19.2
jsonRubyGems
>= 2.16.0, < 2.17.1.22.17.1.2
jsonRubyGems
>= 2.14.0, < 2.15.2.12.15.2.1

Affected products

72

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.