{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-32875", "tracking": { "current_release_date": "2026-03-29T16:57:02.021121Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-32875", "initial_release_date": "2026-03-18T13:39:36.402521Z", "revision_history": [ { "date": "2026-03-18T13:39:36.402521Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (4).| CWES updated (1)." }, { "date": "2026-03-18T13:39:40.922125Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-19T11:40:12.143345Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (4).| CWES updated (1)." }, { "date": "2026-03-20T18:23:57.011872Z", "number": "4", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)." }, { "date": "2026-03-20T18:24:00.277237Z", "number": "5", "summary": "NCSC Score updated." }, { "date": "2026-03-20T18:24:24.579364Z", "number": "6", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (3).| CWES updated (1)." }, { "date": "2026-03-20T18:24:27.544658Z", "number": "7", "summary": "NCSC Score updated." }, { "date": "2026-03-20T18:32:25.925987Z", "number": "8", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (3).| Product Identifiers created (3).| Product Remediations created (6).| Products created (3).| References created (5).| CWES updated (1).| Vendor_assessment created." }, { "date": "2026-03-20T18:32:31.787890Z", "number": "9", "summary": "NCSC Score updated." }, { "date": "2026-03-20T21:41:36.851915Z", "number": "10", "summary": "References created (1)." }, { "date": "2026-03-20T21:59:26.982772Z", "number": "11", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-21T00:44:48.388449Z", "number": "12", "summary": "Source created.| CVE status created. (valid)| Description created for source.| Products connected (2)." }, { "date": "2026-03-21T00:44:50.746891Z", "number": "13", "summary": "NCSC Score updated." }, { "date": "2026-03-21T13:47:21.651179Z", "number": "14", "summary": "References removed (1)." }, { "date": "2026-03-22T00:51:47.453912Z", "number": "15", "summary": "References created (1)." }, { "date": "2026-03-22T11:24:50.603116Z", "number": "16", "summary": "References removed (1)." }, { "date": "2026-03-23T00:53:57.416529Z", "number": "17", "summary": "References created (1)." }, { "date": "2026-03-23T05:15:54.090339Z", "number": "18", "summary": "References removed (1)." }, { "date": "2026-03-24T02:10:59.290582Z", "number": "19", "summary": "Products created (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-03-24T02:11:10.675928Z", "number": "20", "summary": "NCSC Score updated." }, { "date": "2026-03-24T20:56:16.622351Z", "number": "21", "summary": "References created (1)." }, { "date": "2026-03-25T15:39:19.279406Z", "number": "22", "summary": "Unknown change." }, { "date": "2026-03-25T18:37:07.472960Z", "number": "23", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (4).| Product Identifiers created (11).| Products connected (8).| References created (4).| CWES updated (1)." }, { "date": "2026-03-29T16:56:55.617008Z", "number": "24", "summary": "NCSC Score updated." } ], "status": "interim", "version": "24" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/16.2", "product": { "name": "vers:rpm/16.2", "product_id": "CSAFPID-1441187", "product_identification_helper": { "cpe": "cpe:/a:redhat:openstack:16.2" } } } ], "category": "product_name", "name": "Red Hat OpenStack Platform 16.2" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/17.1", "product": { "name": "vers:rpm/17.1", "product_id": "CSAFPID-1441193", "product_identification_helper": { "cpe": "cpe:/a:redhat:openstack:17.1" } } } ], "category": "product_name", "name": "Red Hat OpenStack Platform 17.1" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/18.0", "product": { "name": "vers:rpm/18.0", "product_id": "CSAFPID-1441197", "product_identification_helper": { "cpe": "cpe:/a:redhat:openstack:18.0" } } } ], "category": "product_name", "name": "Red Hat OpenStack Platform 18.0" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5875022" } } ], "category": "product_name", "name": "python-ujson" } ], "category": "product_family", "name": "Red Hat OpenStack Platform 16.2" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5875023" } } ], "category": "product_name", "name": "python-ujson" } ], "category": "product_family", "name": "Red Hat OpenStack Platform 17.1" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5875026" } } ], "category": "product_name", "name": "python-ujson" } ], "category": "product_family", "name": "Red Hat OpenStack Platform 18.0" } ], "category": "vendor", "name": "Red Hat" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=5.1.0|<5.12.0", "product": { "name": "vers:unknown/>=5.1.0|<5.12.0", "product_id": "CSAFPID-5895589", "product_identification_helper": { "cpe": "cpe:2.3:a:ultrajson_project:ultrajson:*:*:*:*:*:python:*:*" } } } ], "category": "product_name", "name": "UltraJSON" } ], "category": "vendor", "name": "UltraJSON Project" }, { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:deb/unknown", "product": { "name": "vers:deb/unknown", "product_id": "CSAFPID-5879011" } } ], "category": "product_name", "name": "ujson" } ], "category": "product_family", "name": "bookworm" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:deb/unknown", "product": { "name": "vers:deb/unknown", "product_id": "CSAFPID-1404751" } } ], "category": "product_name", "name": "ujson" } ], "category": "product_family", "name": "bullseye" } ], "category": "vendor", "name": "Debian" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/5.1.0", "product": { "name": "vers:unknown/5.1.0", "product_id": "CSAFPID-5908045", "product_identification_helper": { "purl": "pkg:pypi/ujson@5.1.0" } } }, { "category": "product_version_range", "name": "vers:unknown/5.10.0", "product": { "name": "vers:unknown/5.10.0", "product_id": "CSAFPID-5908036", "product_identification_helper": { "purl": "pkg:pypi/ujson@5.10.0" } } }, { "category": "product_version_range", "name": "vers:unknown/5.11.0", "product": { "name": "vers:unknown/5.11.0", "product_id": "CSAFPID-5908037", "product_identification_helper": { "purl": "pkg:pypi/ujson@5.11.0" } } }, { "category": "product_version_range", "name": "vers:unknown/5.2.0", "product": { "name": "vers:unknown/5.2.0", "product_id": "CSAFPID-5908046", "product_identification_helper": { "purl": "pkg:pypi/ujson@5.2.0" } } }, { "category": "product_version_range", "name": "vers:unknown/5.3.0", "product": { "name": "vers:unknown/5.3.0", "product_id": "CSAFPID-5908047", "product_identification_helper": { "purl": "pkg:pypi/ujson@5.3.0" } } }, { "category": "product_version_range", "name": "vers:unknown/5.4.0", "product": { "name": "vers:unknown/5.4.0", "product_id": "CSAFPID-5908038", "product_identification_helper": { "purl": "pkg:pypi/ujson@5.4.0" } } }, { "category": "product_version_range", "name": "vers:unknown/5.5.0", "product": { "name": "vers:unknown/5.5.0", "product_id": "CSAFPID-5908039", "product_identification_helper": { "purl": "pkg:pypi/ujson@5.5.0" } } }, { "category": "product_version_range", "name": "vers:unknown/5.6.0", "product": { "name": "vers:unknown/5.6.0", "product_id": "CSAFPID-5908040", "product_identification_helper": { "purl": "pkg:pypi/ujson@5.6.0" } } }, { "category": "product_version_range", "name": "vers:unknown/5.7.0", "product": { "name": "vers:unknown/5.7.0", "product_id": "CSAFPID-5908041", "product_identification_helper": { "purl": "pkg:pypi/ujson@5.7.0" } } }, { "category": "product_version_range", "name": "vers:unknown/5.8.0", "product": { "name": "vers:unknown/5.8.0", "product_id": "CSAFPID-5908042", "product_identification_helper": { "purl": "pkg:pypi/ujson@5.8.0" } } }, { "category": "product_version_range", "name": "vers:unknown/5.9.0", "product": { "name": "vers:unknown/5.9.0", "product_id": "CSAFPID-5908043", "product_identification_helper": { "purl": "pkg:pypi/ujson@5.9.0" } } }, { "category": "product_version_range", "name": "vers:unknown/>=5.1.0|<5.12.0", "product": { "name": "vers:unknown/>=5.1.0|<5.12.0", "product_id": "CSAFPID-5908048" } } ], "category": "product_name", "name": "ujson" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=5.1.0|<5.12.0", "product": { "name": "vers:unknown/>=5.1.0|<5.12.0", "product_id": "CSAFPID-5874295" } } ], "category": "product_name", "name": "ultrajson" } ], "category": "vendor", "name": "ultrajson" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-32875", "cwe": { "id": "CWE-190", "name": "Integer Overflow or Wraparound" }, "notes": [ { "category": "description", "text": "### Summary\n\n`ujson.dumps()` crashes the Python interpreter (segmentation fault) when the product of the `indent` parameter and the nested depth of the input exceeds INT32_MAX. It can also get stuck in an infinite loop if the `indent` is a large negative number. Both are caused by an integer overflow/underflow whilst calculating how much memory to reserve for indentation. And both can be used to achieve denial of service.\n\n(Note: A negative indent to `ujson` means add spaces after colons but do not add line breaks or indentation. It is unclear to the current maintainers whether this was ever even an intended feature or just a byproduct of the way it was written.)\n\n### Exploitability\n\nTo be vulnerable, a service must call `ujson.dump()`/`ujson.dumps()`/`ujson.encode()` whilst giving untrusted users control over the `indent` parameter and not restrict that indentation to reasonably small non-negative values. (Even with the fix for this vulnerability, such usage is strongly advised against since even a bug-free JSON serialiser would be vulnerable to denial of service simply by the attacker requesting indents that have the server needlessly filling out gigabytes of whitespace.)\n\nA service may also be vulnerable to the infinite loop if it uses a fixed _negative_ `indent`. An underflow always occurs for any negative indent when the input data is at least one level nested but, for small negative indents, the underflow is usually accidentally rectified by another overflow. As far as the maintainers are aware, the infinite loop can not be reached for indentations from -1 to -65536 / max_recursion_depth_as_limited_by_stack_size but users of negative indents are encouraged to consider their service affected even if the infinite loop seems unreachable.\n\n### Example\n\n```python\nimport ujson\n\ndef example(depth, indent):\n a = [0]\n for i in range(1000):\n a = [a]\n ujson.dumps(a, indent=indent)\n\nexample(1, 2**30) # segfault\nexample(1000, -200) # infinite loop\n```\n\n### Patches\n\nujson 5.12.0, containing 486bd4553dc471a1de11613bc7347a6b318e37ea, promotes the integer types where the overflow occurred, skips the indentation code path for negative indent (which was supposed to be a no-op) and places an artificial cap of 1000 on the `indent` parameter.\n\n### Workarounds\n\nUsers who don't wish to upgrade can either use a fixed indentation, no indentation or ensure indentation is non-negative and not enormous (below `2**31 / max_recursion_depth_as_limited_by_stack_size`).\n\n### References\n\nThe original bug report can be found at https://github.com/ultrajson/ultrajson/issues/700\n\nThis issue was independently discovered by @coco1629, @EthanKim88 and @vmfunc.", "title": "github - https://github.com/advisories/GHSA-c8rr-9gxc-jprv" }, { "category": "description", "text": "### Summary\n\n`ujson.dumps()` crashes the Python interpreter (segmentation fault) when the product of the `indent` parameter and the nested depth of the input exceeds INT32_MAX. It can also get stuck in an infinite loop if the `indent` is a large negative number. Both are caused by an integer overflow/underflow whilst calculating how much memory to reserve for indentation. And both can be used to achieve denial of service.\n\n(Note: A negative indent to `ujson` means add spaces after colons but do not add line breaks or indentation. It is unclear to the current maintainers whether this was ever even an intended feature or just a byproduct of the way it was written.)\n\n### Exploitability\n\nTo be vulnerable, a service must call `ujson.dump()`/`ujson.dumps()`/`ujson.encode()` whilst giving untrusted users control over the `indent` parameter and not restrict that indentation to reasonably small non-negative values. (Even with the fix for this vulnerability, such usage is strongly advised against since even a bug-free JSON serialiser would be vulnerable to denial of service simply by the attacker requesting indents that have the server needlessly filling out gigabytes of whitespace.)\n\nA service may also be vulnerable to the infinite loop if it uses a fixed _negative_ `indent`. An underflow always occurs for any negative indent when the input data is at least one level nested but, for small negative indents, the underflow is usually accidentally rectified by another overflow. As far as the maintainers are aware, the infinite loop can not be reached for indentations from -1 to -65536 / max_recursion_depth_as_limited_by_stack_size but users of negative indents are encouraged to consider their service affected even if the infinite loop seems unreachable.\n\n### Example\n\n```python\nimport ujson\n\ndef example(depth, indent):\n a = [0]\n for i in range(1000):\n a = [a]\n ujson.dumps(a, indent=indent)\n\nexample(1, 2**30) # segfault\nexample(1000, -200) # infinite loop\n```\n\n### Patches\n\nujson 5.12.0, containing 486bd4553dc471a1de11613bc7347a6b318e37ea, promotes the integer types where the overflow occurred, skips the indentation code path for negative indent (which was supposed to be a no-op) and places an artificial cap of 1000 on the `indent` parameter.\n\n### Workarounds\n\nUsers who don't wish to upgrade can either use a fixed indentation, no indentation or ensure indentation is non-negative and not enormous (below `2**31 / max_recursion_depth_as_limited_by_stack_size`).\n\n### References\n\nThe original bug report can be found at https://github.com/ultrajson/ultrajson/issues/700\n\nThis issue was independently discovered by @coco1629, @EthanKim88 and @vmfunc.", "title": "github - https://api.github.com/advisories/GHSA-c8rr-9gxc-jprv" }, { "category": "description", "text": "UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.10 through 5.11.0 are vulnerable to buffer overflow or infinite loop through large indent handling. ujson.dumps() crashes the Python interpreter (segmentation fault) when the product of the indent parameter and the nested depth of the input exceeds INT32_MAX. It can also get stuck in an infinite loop if the indent is a large negative number. Both are caused by an integer overflow/underflow whilst calculating how much memory to reserve for indentation. And both can be used to achieve denial of service. To be vulnerable, a service must call ujson.dump()/ujson.dumps()/ujson.encode() whilst giving untrusted users control over the indent parameter and not restrict that indentation to reasonably small non-negative values. A service may also be vulnerable to the infinite loop if it uses a fixed negative indent. An underflow always occurs for any negative indent when the input data is at least one level nested but, for small negative indents, the underflow is usually accidentally rectified by another overflow. This issue has been fixed in version 5.12.0.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-32875" }, { "category": "description", "text": "UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.10 through 5.11.0 are vulnerable to buffer overflow or infinite loop through large indent handling. ujson.dumps() crashes the Python interpreter (segmentation fault) when the product of the indent parameter and the nested depth of the input exceeds INT32_MAX. It can also get stuck in an infinite loop if the indent is a large negative number. Both are caused by an integer overflow/underflow whilst calculating how much memory to reserve for indentation. And both can be used to achieve denial of service. To be vulnerable, a service must call ujson.dump()/ujson.dumps()/ujson.encode() whilst giving untrusted users control over the indent parameter and not restrict that indentation to reasonably small non-negative values. A service may also be vulnerable to the infinite loop if it uses a fixed negative indent. An underflow always occurs for any negative indent when the input data is at least one level nested but, for small negative indents, the underflow is usually accidentally rectified by another overflow. This issue has been fixed in version 5.12.0.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/32xxx/CVE-2026-32875.json" }, { "category": "description", "text": "A flaw was found in UltraJSON, a fast JSON encoder and decoder. This vulnerability allows a remote attacker to cause a denial of service (DoS) by providing a specially crafted large positive or negative indent value to the JSON serialization functions. This can lead to a buffer overflow, causing the Python interpreter to crash, or an infinite loop, making the application unresponsive. The issue stems from an integer overflow or underflow during memory allocation for indentation.\nThis is an IMPORTANT denial of service flaw in UltraJSON, affecting Red Hat products that utilize `python-ujson`, including various Community Projects and Red Hat OpenStack Platform. The vulnerability arises when applications process untrusted input that controls the `indent` parameter in JSON serialization functions, potentially leading to a Python interpreter crash or an infinite loop. Exploitation requires a service to explicitly expose the `indent` parameter to untrusted users without proper validation.", "title": "redhat - https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-32875.json" }, { "category": "description", "text": "UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.10 through 5.11.0 are vulnerable to buffer overflow or infinite loop through large indent handling. ujson.dumps() crashes the Python interpreter (segmentation fault) when the product of the indent parameter and the nested depth of the input exceeds INT32_MAX. It can also get stuck in an infinite loop if the indent is a large negative number. Both are caused by an integer overflow/underflow whilst calculating how much memory to reserve for indentation. And both can be used to achieve denial of service. To be vulnerable, a service must call ujson.dump()/ujson.dumps()/ujson.encode() whilst giving untrusted users control over the indent parameter and not restrict that indentation to reasonably small non-negative values. A service may also be vulnerable to the infinite loop if it uses a fixed negative indent. An underflow always occurs for any negative indent when the input data is at least one level nested but, for small negative indents, the underflow is usually accidentally rectified by another overflow. This issue has been fixed in version 5.12.0.", "title": "debian - https://security-tracker.debian.org/tracker/CVE-2026-32875" }, { "category": "description", "text": "### Summary\n\n`ujson.dumps()` crashes the Python interpreter (segmentation fault) when the product of the `indent` parameter and the nested depth of the input exceeds INT32_MAX. It can also get stuck in an infinite loop if the `indent` is a large negative number. Both are caused by an integer overflow/underflow whilst calculating how much memory to reserve for indentation. And both can be used to achieve denial of service.\n\n(Note: A negative indent to `ujson` means add spaces after colons but do not add line breaks or indentation. It is unclear to the current maintainers whether this was ever even an intended feature or just a byproduct of the way it was written.)\n\n### Exploitability\n\nTo be vulnerable, a service must call `ujson.dump()`/`ujson.dumps()`/`ujson.encode()` whilst giving untrusted users control over the `indent` parameter and not restrict that indentation to reasonably small non-negative values. (Even with the fix for this vulnerability, such usage is strongly advised against since even a bug-free JSON serialiser would be vulnerable to denial of service simply by the attacker requesting indents that have the server needlessly filling out gigabytes of whitespace.)\n\nA service may also be vulnerable to the infinite loop if it uses a fixed _negative_ `indent`. An underflow always occurs for any negative indent when the input data is at least one level nested but, for small negative indents, the underflow is usually accidentally rectified by another overflow. As far as the maintainers are aware, the infinite loop can not be reached for indentations from -1 to -65536 / max_recursion_depth_as_limited_by_stack_size but users of negative indents are encouraged to consider their service affected even if the infinite loop seems unreachable.\n\n### Example\n\n```python\nimport ujson\n\ndef example(depth, indent):\n a = [0]\n for i in range(1000):\n a = [a]\n ujson.dumps(a, indent=indent)\n\nexample(1, 2**30) # segfault\nexample(1000, -200) # infinite loop\n```\n\n### Patches\n\nujson 5.12.0, containing 486bd4553dc471a1de11613bc7347a6b318e37ea, promotes the integer types where the overflow occurred, skips the indentation code path for negative indent (which was supposed to be a no-op) and places an artificial cap of 1000 on the `indent` parameter.\n\n### Workarounds\n\nUsers who don't wish to upgrade can either use a fixed indentation, no indentation or ensure indentation is non-negative and not enormous (below `2**31 / max_recursion_depth_as_limited_by_stack_size`).\n\n### References\n\nThe original bug report can be found at https://github.com/ultrajson/ultrajson/issues/700\n\nThis issue was independently discovered by @coco1629, @EthanKim88 and @vmfunc.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/PyPI%2FGHSA-c8rr-9gxc-jprv.json?alt=media" }, { "category": "other", "text": "0.00038", "title": "EPSS" }, { "category": "other", "text": "4.2", "title": "NCSC Score" }, { "category": "other", "text": "Is related to a product by vendor Red Hat, There is product_remediation data available from source Redhat, There is exploit data available from source Nvd, The value of the most recent CVSS (V3) score", "title": "NCSC Score top decreasing factors" }, { "category": "details", "text": "Severity: 3\n", "title": "Vendor assessment" } ], "product_status": { "known_affected": [ "CSAFPID-5874295", "CSAFPID-1441187", "CSAFPID-1441193", "CSAFPID-1441197", "CSAFPID-5875022", "CSAFPID-5875023", "CSAFPID-5875026", "CSAFPID-1404751", "CSAFPID-5879011", "CSAFPID-5895589", "CSAFPID-5908036", "CSAFPID-5908037", "CSAFPID-5908038", "CSAFPID-5908039", "CSAFPID-5908040", "CSAFPID-5908041", "CSAFPID-5908042", "CSAFPID-5908043", "CSAFPID-5908045", "CSAFPID-5908046", "CSAFPID-5908047", "CSAFPID-5908048" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://github.com/advisories/GHSA-c8rr-9gxc-jprv" }, { "category": "external", "summary": "Source raw - github", "url": "https://api.github.com/advisories/GHSA-c8rr-9gxc-jprv" }, { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-c8rr-9gxc-jprv" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-32875" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/32xxx/CVE-2026-32875.json" }, { "category": "external", "summary": "Source - redhat", "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-32875.json" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - debian", "url": "https://security-tracker.debian.org/tracker/CVE-2026-32875" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/PyPI%2FGHSA-c8rr-9gxc-jprv.json?alt=media" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv; redhat", "url": "https://github.com/ultrajson/ultrajson/security/advisories/GHSA-c8rr-9gxc-jprv" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv; redhat", "url": "https://github.com/ultrajson/ultrajson/issues/700" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv; redhat", "url": "https://github.com/ultrajson/ultrajson/commit/486bd4553dc471a1de11613bc7347a6b318e37ea" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-c8rr-9gxc-jprv" }, { "category": "external", "summary": "Reference - redhat", "url": "https://www.cve.org/CVERecord?id=CVE-2026-32875" }, { "category": "external", "summary": "Reference - github; osv; redhat", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32875" } ], "remediations": [ { "category": "mitigation", "details": "To mitigate this issue, applications utilizing `python-ujson` should ensure that the `indent` parameter in `ujson.dump()`, `ujson.dumps()`, or `ujson.encode()` functions is not controlled by untrusted input. If untrusted input must influence indentation, restrict the `indent` value to reasonably small, non-negative integers. Review application code to identify and validate all uses of the `indent` parameter with external data.", "product_ids": [ "CSAFPID-1441187", "CSAFPID-1441193", "CSAFPID-1441197", "CSAFPID-5875022", "CSAFPID-5875023", "CSAFPID-5875026" ] } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH" }, "products": [ "CSAFPID-1404751", "CSAFPID-1441187", "CSAFPID-1441193", "CSAFPID-1441197", "CSAFPID-5874295", "CSAFPID-5875022", "CSAFPID-5875023", "CSAFPID-5875026", "CSAFPID-5879011", "CSAFPID-5895589", "CSAFPID-5908036", "CSAFPID-5908037", "CSAFPID-5908038", "CSAFPID-5908039", "CSAFPID-5908040", "CSAFPID-5908041", "CSAFPID-5908042", "CSAFPID-5908043", "CSAFPID-5908045", "CSAFPID-5908046", "CSAFPID-5908047", "CSAFPID-5908048" ] } ], "title": "CVE-2026-32875" } ] }