Information on source package jq

Available versions

Release	Version
bullseye	1.6-2.1
bullseye (security)	1.6-2.1+deb11u2
bookworm	1.6-2.1+deb12u1
trixie	1.7.1-6+deb13u2
forky	1.8.1-5
sid	1.8.1-6

Open issues

Bug	bullseye	bookworm	trixie	forky	sid	Description
CVE-2026-44777	fixed	vulnerable (no DSA)	vulnerable (no DSA)	vulnerable	fixed	jq is a command-line JSON processor. In 1.8.2rc1 and earlier, the ordi ...
CVE-2026-43896	fixed	vulnerable (no DSA)	vulnerable (no DSA)	vulnerable	fixed	jq is a command-line JSON processor. In 1.8.1 and earlier, unbounded r ...
CVE-2026-43895	fixed	vulnerable	vulnerable	vulnerable	fixed	jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts ...
CVE-2026-43894	vulnerable	vulnerable	vulnerable	vulnerable	fixed	jq is a command-line JSON processor. In 1.8.1 and earlier, when decNum ...
CVE-2026-41257	fixed	vulnerable (no DSA)	vulnerable (no DSA)	vulnerable	fixed	jq is a command-line JSON processor. In 1.8.1 and earlier, the jq byte ...
CVE-2026-41256	fixed	vulnerable (no DSA)	vulnerable (no DSA)	vulnerable	fixed	jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level j ...
CVE-2026-40164	fixed	vulnerable (no DSA)	fixed	fixed	fixed	jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6 ...
CVE-2026-39979	fixed	vulnerable (no DSA)	fixed	fixed	fixed	jq is a command-line JSON processor. In commits before 2f09060afab23fe ...
CVE-2026-39956	fixed	vulnerable (no DSA)	fixed	fixed	fixed	jq is a command-line JSON processor. In commits after 69785bf77f86e2ea ...
CVE-2026-33948	fixed	vulnerable (no DSA)	fixed	fixed	fixed	jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18e ...
CVE-2026-33947	fixed	vulnerable (no DSA)	fixed	fixed	fixed	jq is a command-line JSON processor. In versions 1.8.1 and below, func ...
CVE-2026-32316	fixed	vulnerable (no DSA)	fixed	fixed	fixed	jq is a command-line JSON processor. An integer overflow vulnerability ...

Open unimportant issues

Bug	bullseye	bookworm	trixie	forky	sid	Description
CVE-2026-40612	vulnerable	vulnerable	vulnerable	vulnerable	fixed	jq is a command-line JSON processor. In 1.8.1 and earlier, jv_contains ...
CVE-2025-9403	vulnerable	vulnerable	vulnerable	vulnerable	vulnerable	A vulnerability was determined in jqlang jq up to 1.6. Impacted is the ...
CVE-2024-23337	vulnerable	vulnerable	fixed	fixed	fixed	jq is a command-line JSON processor. In versions up to and including 1 ...

Resolved issues

Bug	Description
CVE-2025-49014	jq is a command-line JSON processor. In version 1.8.0 a heap use after ...
CVE-2025-48060	jq is a command-line JSON processor. In versions up to and including 1 ...
CVE-2024-53427	decNumberCopy in decNumber.c in jq through 1.7.1 does not properly con ...
CVE-2023-50268	jq is a command-line JSON processor. Version 1.7 is vulnerable to stac ...
CVE-2023-50246	jq is a command-line JSON processor. Version 1.7 is vulnerable to heap ...
CVE-2023-49355	decToString in decNumber/decNumber.c in jq 88f01a7 has a one-byte out- ...
CVE-2016-4074	The jv_dump_term function in jq 1.5 allows remote attackers to cause a ...
CVE-2015-8863	Off-by-one error in the tokenadd function in jv_parse.c in jq allows r ...

Security announcements

DSA / DLA	Description
DLA-4599-1	jq - security update
DLA-4307-1	jq - security update