VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-6gj4-t3v3-gyhp

Essentials
Severities (39)
References (17)
Severity details (23)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-6gj4-t3v3-gyhp
Aliases	CVE-2026-32285 GHSA-6g7g-w4f8-9c9x
Summary	Denial of service in github.com/buger/jsonparser The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-125	Out-of-bounds Read
CWE-1285	Improper Validation of Specified Index, Position, or Offset in Input
CWE-129	Improper Validation of Array Index

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-32285.json
epss	0.00021	https://api.first.org/data/v1/epss?cve=CVE-2026-32285
epss	0.00029	https://api.first.org/data/v1/epss?cve=CVE-2026-32285
epss	0.00052	https://api.first.org/data/v1/epss?cve=CVE-2026-32285
epss	0.00052	https://api.first.org/data/v1/epss?cve=CVE-2026-32285
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2026-32285
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2026-32285
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2026-32285
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2026-32285
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2026-32285
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2026-32285
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2026-32285
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2026-32285
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2026-32285
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2026-32285
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2026-32285
epss	0.00057	https://api.first.org/data/v1/epss?cve=CVE-2026-32285
cvssv3.1	5.5	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1	7.5	https://github.com/buger/jsonparser
generic_textual	HIGH	https://github.com/buger/jsonparser
cvssv3.1	7.5	https://github.com/buger/jsonparser/commit/a69e7e01cd4ad67bdfd3ac2c080b9212af16f4b0
generic_textual	HIGH	https://github.com/buger/jsonparser/commit/a69e7e01cd4ad67bdfd3ac2c080b9212af16f4b0
cvssv3.1	7.5	https://github.com/buger/jsonparser/issues/275
generic_textual	HIGH	https://github.com/buger/jsonparser/issues/275
ssvc	Track	https://github.com/buger/jsonparser/issues/275
cvssv3.1	7.5	https://github.com/buger/jsonparser/pull/276
generic_textual	HIGH	https://github.com/buger/jsonparser/pull/276
cvssv3.1	7.5	https://github.com/buger/jsonparser/releases/tag/v1.1.2
generic_textual	HIGH	https://github.com/buger/jsonparser/releases/tag/v1.1.2
cvssv3.1	7.5	https://github.com/golang/vulndb/issues/4514
generic_textual	HIGH	https://github.com/golang/vulndb/issues/4514
ssvc	Track	https://github.com/golang/vulndb/issues/4514
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2026-32285
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2026-32285
cvssv3.1	7.5	https://pkg.go.dev/vuln/GO-2026-4514
generic_textual	HIGH	https://pkg.go.dev/vuln/GO-2026-4514
ssvc	Track	https://pkg.go.dev/vuln/GO-2026-4514
cvssv3.1	7.5	https://securityinfinity.com/research/buger-jsonparser-negative-slice-panic-dos-2026
generic_textual	HIGH	https://securityinfinity.com/research/buger-jsonparser-negative-slice-panic-dos-2026

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-32285.json
		https://api.first.org/data/v1/epss?cve=CVE-2026-32285
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-32285
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/buger/jsonparser
		https://github.com/buger/jsonparser/commit/a69e7e01cd4ad67bdfd3ac2c080b9212af16f4b0
		https://github.com/buger/jsonparser/issues/275
		https://github.com/buger/jsonparser/pull/276
		https://github.com/buger/jsonparser/releases/tag/v1.1.2
		https://github.com/golang/vulndb/issues/4514
		https://nvd.nist.gov/vuln/detail/CVE-2026-32285
		https://pkg.go.dev/vuln/GO-2026-4514
		https://securityinfinity.com/research/buger-jsonparser-negative-slice-panic-dos-2026
2451846		https://bugzilla.redhat.com/show_bug.cgi?id=2451846
RHSA-2026:13548		https://access.redhat.com/errata/RHSA-2026:13548
RHSA-2026:7191		https://access.redhat.com/errata/RHSA-2026:7191
RHSA-2026:9385		https://access.redhat.com/errata/RHSA-2026:9385

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-32285.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/buger/jsonparser

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/buger/jsonparser/commit/a69e7e01cd4ad67bdfd3ac2c080b9212af16f4b0

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/buger/jsonparser/issues/275

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-30T14:05:55Z/ Found at https://github.com/buger/jsonparser/issues/275

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/buger/jsonparser/pull/276

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/buger/jsonparser/releases/tag/v1.1.2

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/golang/vulndb/issues/4514

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-30T14:05:55Z/ Found at https://github.com/golang/vulndb/issues/4514

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2026-32285

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://pkg.go.dev/vuln/GO-2026-4514

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-30T14:05:55Z/ Found at https://pkg.go.dev/vuln/GO-2026-4514

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://securityinfinity.com/research/buger-jsonparser-negative-slice-panic-dos-2026

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.05903
EPSS Score	0.00021
Published At	May 5, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:53:25.409450+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-6g7g-w4f8-9c9x/GHSA-6g7g-w4f8-9c9x.json	38.0.0