EUVD-2026-32918

🗓️ 28 May 2026 15:10:19Reported by EUVDType

Python JSON Web Token library had verifier allow-list bypass with JSON Web Key; fixed in 2.13.0.

Reporter	Title	Published	Views	Family All 21
ATTACKERKB	CVE-2026-48523	28 May 202615:10	–	attackerkb
Circl	CVE-2026-48523	28 May 202617:43	–	circl
CNNVD	pyjwt 安全漏洞	28 May 202600:00	–	cnnvd
CVE	CVE-2026-48523	28 May 202615:10	–	cve
Cvelist	CVE-2026-48523 PyJWT: Algorithm allow-list bypass when decoding with `PyJWK` / `PyJWKClient` keys	28 May 202615:10	–	cvelist
Debian CVE	CVE-2026-48523	28 May 202615:10	–	debiancve
NVD	CVE-2026-48523	28 May 202616:16	–	nvd
OSV	DEBIAN-CVE-2026-48523	28 May 202616:16	–	osv
OSV	ECHO-894A-8FA2-A1B5	29 May 202613:57	–	osv
OSV	MINI-799G-23PR-HGGR	30 May 202615:44	–	osv

[
  {
    "enisaIdVendor": [
      {
        "id": "06f3e38c-1bbe-356f-807d-be8a7e890023",
        "vendor": {
          "name": "jpadilla"
        }
      }
    ],
    "enisaIdProduct": [
      {
        "id": "092d721f-4190-3632-b8dd-eb1caa1a09fe",
        "product": {
          "name": "pyjwt",
          "vendor": {
            "name": "jpadilla"
          }
        },
        "product_version": "2.9.0, < 2.13.0"
      }
    ]
  }
]

Source	Link
github	www.github.com/jpadilla/pyjwt/security/advisories/GHSA-jq35-7prp-9v3f

28 May 2026 15:27Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.15.4

EPSS0.00014

SSVC