Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.

The remote RockyLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:20606 advisory.

    * ruby/json: Ruby JSON: Denial of Service or Information Disclosure via format string injection     (CVE-2026-33210)

    * erb: ERB: Arbitrary code execution via deserialization bypass (CVE-2026-41316)

Tenable has extracted the preceding description block directly from the RockyLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2026:20606 advisory.

    * ruby/json: Ruby JSON: Denial of Service or Information Disclosure via format string injection     (CVE-2026-33210)
      * erb: ERB: Arbitrary code execution via deserialization bypass (CVE-2026-41316)

Tenable has extracted the preceding description block directly from the AlmaLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote RockyLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:20596 advisory.

    * ruby/json: Ruby JSON: Denial of Service or Information Disclosure via format string injection     (CVE-2026-33210)

    * erb: ERB: Arbitrary code execution via deserialization bypass (CVE-2026-41316)

Tenable has extracted the preceding description block directly from the RockyLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2026:20596 advisory.

    * ruby/json: Ruby JSON: Denial of Service or Information Disclosure via format string injection     (CVE-2026-33210)
      * erb: ERB: Arbitrary code execution via deserialization bypass (CVE-2026-41316)

Tenable has extracted the preceding description block directly from the AlmaLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:20606 advisory.

    Ruby is the interpreted scripting language for quick and easy object-oriented programming.  It has many     features to process text files and to do system management tasks (as in Perl).  It is simple, straight-     forward, and extensible.

    Security Fix(es):

    * ruby/json: Ruby JSON: Denial of Service or Information Disclosure via format string injection     (CVE-2026-33210)

    * erb: ERB: Arbitrary code execution via deserialization bypass (CVE-2026-41316)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:20596 advisory.

    Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text     files and to perform system management tasks.

    Security Fix(es):

    * ruby/json: Ruby JSON: Denial of Service or Information Disclosure via format string injection     (CVE-2026-33210)

    * erb: ERB: Arbitrary code execution via deserialization bypass (CVE-2026-41316)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-3a7663d43d advisory.

    New version 2.19.2 is released. This fixes a format string injection vulnerability in JSON.parse, which is     now assigned as CVE-2026-33210

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 43 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-8c07fcde49 advisory.

    This new updates backports a fix for a format string injection vulnerability in JSON.parse, which is now     assigned as CVE-2026-33210

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2,     and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information     disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents.
    This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2. (CVE-2026-33210)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
318643	RockyLinux 10 : ruby4.0 (RLSA-2026:20606)	Nessus	Rocky Linux Local Security Checks	high
318614	AlmaLinux 10 : ruby4.0 (ALSA-2026:20606)	Nessus	Alma Linux Local Security Checks	high
318036	RockyLinux 9 : ruby:4.0 (RLSA-2026:20596)	Nessus	Rocky Linux Local Security Checks	high
317110	AlmaLinux 9 : ruby:4.0 (ALSA-2026:20596)	Nessus	Alma Linux Local Security Checks	high
317000	RHEL 10 : ruby4.0 (RHSA-2026:20606)	Nessus	Red Hat Local Security Checks	high
316780	RHEL 9 : ruby:4.0 (RHSA-2026:20596)	Nessus	Red Hat Local Security Checks	high
304041	Fedora 44 : rubygem-json (2026-3a7663d43d)	Nessus	Fedora Local Security Checks	high
303923	Fedora 43 : rubygem-json (2026-8c07fcde49)	Nessus	Fedora Local Security Checks	high
303258	Linux Distros Unpatched Vulnerability : CVE-2026-33210	Nessus	Misc.	high

Detections

Analytics

CVE-2026-33210

high

Tenable Plugins

high

high

high

high

high

high

high

high

high