python311-PyJWT-2.13.0-1.1 on GA media (moderate)

python311-PyJWT-2.13.0-1.1 on GA media Announcement ID: openSUSE-SU-2026:11024-1 Rating: moderate Cross-References: CVE-2026-48522 CVE-2026-48523 CVE-2026-48524 CVE-2026-48525 CVE-2026-48526 CVSS scores: CVE-2026-48522 SUSE : 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2026-48522 SUSE :...

TencentOS Server 4: python-jwt (TSSA-2026:0427)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2026:0427 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities...

CVE-2026-48524

creationtimestamp| type| source ---|---|--- 2026-05-28 17:18:42+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mmwjprwno32c 2026-06-15 17:41:21+00:00| seen| https://gist.github.com/alon710/1f95260cf4713d452e9aa65f49fefae4 2026-06-15 23:21:16+00:00| seen|...

360solutions-bc-mcp (>=0.5.3 <=0.5.6), 3di-cmd-client (>=0.0.1a0 <=0.0.3) +1507 more potentially affected by CVE-2026-48524 via pyjwt (>=0.2.1 <=2.12.1)

pyjwt PYPI version =0.2.1, =0.5.3, =0.0.1a0, =0.1.1, =1.0.0, =2.0.0, =1.1.1, =0.8.44.4, =0.1.0, =0.1.1, =0.1.1, =0.1.5 - affo-user-service =1.0.4 and more Source cves: CVE-2026-48524 Source advisory: OSV:PYSEC-2026-177...

CVE-2026-48524

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.getsigningkey forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited...

CVE-2026-48524

CVE-2026-48524 affects PyJWT prior to 2.13.0. The issue is in PyJWKClient.get_signing_key(), which can force a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since the kid is from an unverified token header, an attacker can trigger unlimite...