Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.

alma_linux ALSA-2026:20596: ALSA-2026:20596: ruby:4.0 security update (High)

redhat RHSA-2026:20606: RHSA-2026:20606: ruby4.0 security update (Important)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:20596 advisory.

    Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text     files and to perform system management tasks.

    Security Fix(es):

    * ruby/json: Ruby JSON: Denial of Service or Information Disclosure via format string injection     (CVE-2026-33210)

    * erb: ERB: Arbitrary code execution via deserialization bypass (CVE-2026-41316)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-3a7663d43d advisory.

    New version 2.19.2 is released. This fixes a format string injection vulnerability in JSON.parse, which is     now assigned as CVE-2026-33210

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 43 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-8c07fcde49 advisory.

    This new updates backports a fix for a format string injection vulnerability in JSON.parse, which is now     assigned as CVE-2026-33210

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2,     and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information     disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents.
    This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2. (CVE-2026-33210)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
316780	RHEL 9 : ruby:4.0 (RHSA-2026:20596)	Nessus	Red Hat Local Security Checks	high
304041	Fedora 44 : rubygem-json (2026-3a7663d43d)	Nessus	Fedora Local Security Checks	high
303923	Fedora 43 : rubygem-json (2026-8c07fcde49)	Nessus	Fedora Local Security Checks	high
303258	Linux Distros Unpatched Vulnerability : CVE-2026-33210	Nessus	Misc.	high

Detections

Analytics

CVE-2026-33210

high

Tenable Plugins

Coming Soon

high

high

high

high