CVE-2026-33210
Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injectio
CVSS
9.1
Crítico
EPSS
0.8%
p54
KEV
—
Exploit Today
16
0-100
Publicado: 20 mar 2026 · Última mod.: 15 jul 2026 · CWE-134
0.8%EPSS · 30 días0.8%
2026-06-302026-07-16
Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.
- github.comhttps://github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:20596
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:20606
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-33210
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2449871
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33210.json
CVECVSSEPSSKEVRExplotTítuloVis.
CVE-2026-221907.5 ALT23.2%
——7The egg-mkfont utility in Panda3D versions up to and including 1.10.16 contains an uncontrolled format string vulnerability. The -gp (glyph pattern) command-line option is used directly as the format string for sprintf() with only a single argument supplied. If an attacker provides additional format specifiers, egg-mkfont may read unintended stack values and write the formatted output into generated .egg and .png files, resulting in disclosure of stack-resident memory and pointer values.3dCVE-2026-156807.5 ALT17.5%
——5Lorex 2K Indoor Wi-Fi Security Camera CDeviceOperator Format String Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Lorex 2K Indoor Wi-Fi Security Cameras. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the parsing of JSON requests in the sonia binary. The issue results from the lack of proper validation of a user-supplied string before using it as a format specifier. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-25884.3dCVE-2026-464655.5 MED14.8%
——4Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an use of externally-controlled format string vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure and denial of service.9dCVE-2026-158097.8 ALT2.6%
——1A flaw was found in CRI-O. The fix for a previous vulnerability (CVE-2022-4318) was incorrect, allowing it to be bypassed. An attacker capable of setting environment variables on a container can inject a newline character into the HOME environment variable. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially crafted environment variable.1d