Malicious code in @vapi-ai/server-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security a6c7977dbc054cdb7fe56da0d2fbd26e2a6fed695deb4263ccbf4adfedd86acb The Miasma malware is a self-propagating worm that spreads across the npm registry by abusing weaponized binding.gyp files to achieve...

Authentication Bypass

Authlib is vulnerable to Authentication Bypass. The vulnerability is due to fail-open behavior in the verifyhash function when processing unsupported or unknown algorithms, where hash validation incorrectly returns success, allowing attackers to forge ID Tokens and bypass integrity checks...

CVE-2026-28498

A flaw was found in Authlib, a Python library used for building OAuth and OpenID Connect OIDC servers. This vulnerability allows a remote attacker to bypass critical integrity checks in OIDC ID Tokens. Specifically, the library's internal hash verification logic fails open when encountering an...

Linux Distros Unpatched Vulnerability : CVE-2026-28498

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib...

CVE-2026-31813

CVE-2026-31813 affects Supabase Auth. Before version 2.185.0, if Apple or Azure as OIDC providers are enabled, an attacker can create a valid, asymmetrically signed ID token from their issuer for each victim email and send it to the token endpoint using the ID token flow. If the ID token is OIDC ...

CVE-2026-31813 Supabase Auth has insecure Apple and Azure authentication with ID tokens

Supabase Auth is a JWT based API for managing users and issuing JWT tokens. Prior to 2.185.0, a vulnerability has been identified that allows an attacker to issue sessions for arbitrary users using specially crafted ID tokens when the Apple or Azure providers are enabled. The attacker issues a...

CVE-2026-31813 Supabase Auth has insecure Apple and Azure authentication with ID tokens

Supabase Auth is a JWT based API for managing users and issuing JWT tokens. Prior to 2.185.0, a vulnerability has been identified that allows an attacker to issue sessions for arbitrary users using specially crafted ID tokens when the Apple or Azure providers are enabled. The attacker issues a...

Incorrect Authorization

Auth0-PHP is vulnerable to Incorrect Authorization. The vulnerability is due to improper validation of access tokens, where affected applications may accept ID tokens as Access tokens, and attackers can exploit this by manipulating the audience validation in access tokens...

CVE-2025-68129

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens. Projects are affected if the...

CVE-2025-68129 Auth0-PHP SDK has Improper Audience Validation

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens. Projects are affected if the...

CVE-2025-68129

CVSS and description : CVE-2025-68129 relates to improper audience validation in Auth0-PHP, potentially allowing ID tokens to be accepted as access tokens. The issue affects Auth0-PHP versions 8.0.0 through 8.17.0, and applications using dependent SDKs that rely on those Auth0-PHP versions: Symfo...

GHSA-VVG7-8RMQ-92G7 Auth0 WordPress has Improper Audience Validation via Auth0-PHP SDK Dependency

Description In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens. Affected product and versions Projects are affected if they meet the following...

GHSA-7HH9-GP72-WH7H Auth0 Laravel SDK has Improper Audience Validation via Auth0-PHP SDK dependency

Description In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens. Affected product and versions Users are affected if they meet the following...

Auth0 Laravel SDK has Improper Audience Validation via Auth0-PHP SDK dependency

Description In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens. Affected product and versions Users are affected if they meet the following...

GHSA-J2VM-WRQ3-F7GF Auth0-PHP SDK has Improper Audience Validation

Description In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens. Affected product and versions Projects are affected if they meet the following...

Auth0-PHP SDK has Improper Audience Validation

Description In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens. Affected product and versions Projects are affected if they meet the following...

PT-2025-51935

Name of the Vulnerable Software and Affected Versions Auth0-PHP versions 8.0.0 through 8.17.0 Auth0/symfony versions 5.0.0 through 5.5.0 Auth0/laravel-auth0 versions 7.0.0 through 7.19.0 Auth0/wordpress plugin versions 5.0.0-BETA0 through 5.4.0 Description The Auth0-PHP SDK contains a flaw in how...

Auth0-PHP 安全漏洞

Auth0-PHP is an Auth0 open source PHP SDK for Auth0 authentication and management APIs. A security vulnerability exists in Auth0-PHP versions 8.0.0 through 8.17.0 that stems from improper audience validation in access tokens, which could result in accepting ID tokens as access tokens...

EUVD-2025-14884

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2025-5819

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue has been discovered in GitLab CE/EE affecting all versions from 15.7 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed...