CVE-2026-14803: Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via unbounded recursion in the pure-Perl decoder. The pure-Perl decode path (`_decode_value` dispatching to `_deco
Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via unbounded recursion in the pure-Perl decoder.
The pure-Perl decode path (_decode_value dispatching to _decode_array and _decode_object) recurses with no depth limit, so a small deeply nested JSON document can consume excessive memory.
This path is the default when Cpanel::JSON::XS is not installed or MOJO_NO_JSON_XS=1 is set; the Cpanel::JSON::XS fast path is not affected.
Any caller that decodes an untrusted JSON body, for example Mojo::Message::json reached through $c->req->json, can exhaust process memory and cause denial of service.
Details
Original advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-14803
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-148030.33% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 25% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-14803 | coverage & exploitation status | NVD · CVE.org |
Recent advisories for Mojo
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- unknownCVE-2026-14109: Chromium: CVE-2026-14109 Insufficient policy enforcement in Mojomsrc · 2026-07-02
- criticalCVE-2026-14109: Insufficient policy enforcement in Mojo in Google Chrome prior to 150.0.7871.47 allowed a remo…nvd · 2026-06-30
- highCVE-2026-13281: Integer overflow in Mojo in Google Chrome prior to 149.0.7827.201 allowed a remote attacker wh…nvd · 2026-06-25
- unknownCVE-2026-12018: Chromium: CVE-2026-12018 Inappropriate implementation Mojomsrc · 2026-06-09
- criticalexploitedCVE-2025-2783: Google Chromium Mojo Sandbox Escape Vulnerabilitycisa-kev · 2025-03-27
- criticalexploitedCVE-2022-3075: Google Chromium Mojo Insufficient Data Validation Vulnerabilitycisa-kev · 2022-09-08
More from NVD Recent CVEs
- highCVE-2026-58281: Deserialization of untrusted data in Microsoft Edge (Chromium-based) allows an unauthorized at…2026-07-11
- mediumCVE-2026-10660: The Bluetooth BAP Broadcast Assistant GATT client in subsys/bluetooth/audio/bap_broadcast_assi…2026-07-11
- lowCVE-2026-61870: ImageMagick before 7.1.2-26 contains a memory leak vulnerability in the VIFF encoder when memo…2026-07-11
- lowCVE-2026-61861: ImageMagick before 7.1.2-26 contains a use-after-free vulnerability in the FormatMagickCaption…2026-07-11
- lowCVE-2026-61858: ImageMagick before 7.1.2-26 contains a policy bypass vulnerability in the APNG encoder and ext…2026-07-11