cve-2026-43895

CVE-2026-43895 is a moderate-severity vulnerability in jq, the lightweight JSON processor, published in May 2026. It involves embedded NUL characters in jq import paths, causing local automation to validate one file name while jq opens another. This parsing mismatch can break redaction pipelines and undermine policy assumptions in scripting workflows. While not a remote-code-execution bug or a wormable Windows flaw, it highlights how subtle parsing issues in common tools can compromise data integrity in enterprise IT environments. The vulnerability is tracked by GitHub, NVD, and Microsoft's Security Update Guide, and is relevant for system administrators and developers using jq in automated pipelines.