VDB

CVE-2026-33210

CVE-2026-33210 PUBLISHED CVSS 8.300000190734863 HIGH

Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.

EPSS 0.04% · 11.6th percentile

Risk Scores

CVSS 4.0
8.300000190734863
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
EPSS Score
0.04%
11.6th percentile

Affected Products

VendorProductVersions
ruby-langjson2.18.0, 2.16.0, 2.14.0
RubyGemsjson2.14.0, 2.18.0, 2.14.0
rubyjson>= 2.14.0, < 2.15.2.1, >= 2.18.0, < 2.19.2, >= 2.16.0, < 2.17.1.2

Exploit Intelligence

…and 28 more exploits

Timeline

  • Mar 19, 2026 CVE Published
  • Mar 20, 2026 Security Advisory
  • Mar 21, 2026 EPSS Score
  • Mar 21, 2026 PoC Published
  • Mar 22, 2026 EPSS Score
  • Mar 23, 2026 EPSS Score
  • Mar 24, 2026 EPSS Score
  • Mar 25, 2026 CVE Updated
  • Mar 25, 2026 EPSS Score
  • Mar 31, 2026 PoC Published
  • May 18, 2026 EPSS Score
  • May 19, 2026 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›