VDB
CVE-2026-33210
CVE-2026-33210
PUBLISHED
CVSS 8.300000190734863 HIGH
Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.
EPSS 0.04% · 11.6th percentile
Risk Scores
CVSS 4.0
8.300000190734863
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
EPSS Score
0.04%
11.6th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| ruby-lang | json | 2.18.0, 2.16.0, 2.14.0 |
| RubyGems | json | 2.14.0, 2.18.0, 2.14.0 |
| ruby | json | >= 2.14.0, < 2.15.2.1, >= 2.18.0, < 2.19.2, >= 2.16.0, < 2.17.1.2 |
Exploit Intelligence
- CIRCL seen: CVE-2026-33210 (circl-sighting)
- CIRCL seen: CVE-2026-33210 (circl-sighting)
- https://github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3 (circl)
- 10.yaml (github-poc)
- 10.yaml (github-poc)
- bundler-audit.yml (github-poc)
- bundler-audit.yml (github-poc)
- bundler-audit.yml (github-poc)
- bundler-audit.yml (github-poc)
- bundler-audit.yml (github-poc)
…and 28 more exploits
Timeline
- Mar 19, 2026 CVE Published
- Mar 20, 2026 Security Advisory
- Mar 21, 2026 EPSS Score
- Mar 21, 2026 PoC Published
- Mar 22, 2026 EPSS Score
- Mar 23, 2026 EPSS Score
- Mar 24, 2026 EPSS Score
- Mar 25, 2026 CVE Updated
- Mar 25, 2026 EPSS Score
- Mar 31, 2026 PoC Published
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score