Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
More details in https://www.cve.org/CVERecord?id=CVE-2026-32874 and https://github.com/ultrajson/ultrajson/security/advisories/GHSA-wgvc-ghv9-3pmm; fixed in 5.12.0 with https://github.com/ultrajson/ultrajson/commit/4baeb950df780092bd3c89fc702a868e99a3a1d2. We can’t update python-ujson past 5.8.0 in EPEL9 because 5.9.0, https://github.com/ultrajson/ultrajson/releases/tag/5.9.0, contained a breaking change. However, it looks like it will be possible to cleanly backport the commit that fixes this particular defect.
FEDORA-EPEL-2026-37ef30e238 (python-ujson-5.8.0-2.el9) has been submitted as an update to Fedora EPEL 9. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-37ef30e238
FEDORA-EPEL-2026-37ef30e238 has been pushed to the Fedora EPEL 9 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-37ef30e238 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2026-37ef30e238 (python-ujson-5.8.0-2.el9) has been pushed to the Fedora EPEL 9 stable repository. If problem still persists, please make note of it in this bug report.