A type confusion vulnerability in the Perl Cpanel::JSON::XS module, tracked as CVE-2026-9334, allows attackers to bypass JSON validation when dupkeys_as_arrayref is enabled. Versions before 4.41 collapse duplicate object keys, which can be exploited to inject unexpected data types into parsed JSON structures.
What Is the Vulnerability?
CVE-2026-9334 exists in the decode_hv() function. When the dupkeys_as_arrayref option is enabled, duplicate JSON object keys are collapsed into an arrayref. However, the collapsing logic does not properly handle type validation, allowing a crafted JSON payload with duplicate keys to produce a parsed structure where values have unexpected types — bypassing schema validation in applications that rely on JSON::XS for parsing.
- CVSS v3.1 Score: 7.5 (High)
- CWE: CWE-843 (Type Confusion)
Which Versions Are Affected?
- Cpanel::JSON::XS: all versions prior to 4.41
What Is the Fix?
Update Cpanel::JSON::XS to version 4.41 or later via CPAN: cpanm Cpanel::JSON::XS@4.41
References
This advisory is covered in the broader Vulnerability Intelligence Report — June 4, 2026.
