CVE-2026-32597

PyJWT prior to 2.12.0 does not validate the crit header (RFC 7515 §4.1.11). If a JWS contains a crit array with extensions PyJWT cannot understand, the library accepts the token instead of rejecting it, violating the MUST requirement. This CVE affects PyJWT and is fixed in version 2.12.0. Remedia...

CVE-2026-32597 PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)

PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting...

CVE-2026-32597 PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)

PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting...

CVE-2026-32301 Centrifugo: SSRF via unverified JWT claims interpolated into dynamic JWKS endpoint URL

Centrifugo is an open-source scalable real-time messaging server. Prior to 6.7.0, Centrifugo is vulnerable to Server-Side Request Forgery SSRF when configured with a dynamic JWKS endpoint URL using template variables e.g. tenant. An unauthenticated attacker can craft a JWT with a malicious iss or...

CVE-2026-32301

CVE-2026-32301 affects Centrifugo up to 6.6.x. An unauthenticated attacker can cause SSRF by crafting a JWT whose iss or aud claims interpolate into a dynamic JWKS endpoint URL before token verification, triggering Centrifugo to make a request to an attacker‑controlled destination. The dynamic JW...

CVE-2026-32301

Centrifugo is an open-source scalable real-time messaging server. Prior to 6.7.0, Centrifugo is vulnerable to Server-Side Request Forgery SSRF when configured with a dynamic JWKS endpoint URL using template variables e.g. tenant. An unauthenticated attacker can craft a JWT with a malicious iss or...

CVE-2026-27478

CVE-2026-27478 relates to Unity Catalog (0.4.0 and earlier). The vulnerability is a critical authentication bypass in the token exchange endpoint at /api/1.0/unity-control/auth/tokens, where the issuer (iss) claim from incoming JWTs is used to dynamically fetch the JWKS endpoint for signature val...

BIT-PARSE-2026-30863 Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.10 and 9.5.0, the Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audience configuration option is...

CVE-2025-15603

A security vulnerability has been detected in open-webui up to 0.6.16. Affected is an unknown function of the file backend/startwindows.bat of the component JWT Key Handler. Such manipulation of the argument WEBUISECRETKEY leads to insufficiently random values. It is possible to launch the attack...

Command Injection

Overview @siteboon/claude-code-ui is an A web-based UI for Claude Code CLI Affected versions of this package are vulnerable to Command Injection through the authenticateWebSocket process and unsanitized input in the WebSocket shell handler. An attacker can execute arbitrary operating system...

GHSA-48MH-J4P5-7J9V Parse Server missing audience validation in Keycloak authentication adapter

Impact The Keycloak authentication adapter does not validate the azp authorized party claim of Keycloak access tokens against the configured client-id. A valid access token issued by the same Keycloak realm for a different client application can be used to authenticate as any user on the Parse...

PT-2026-24800

Name of the Vulnerable Software and Affected Versions Unity Catalog versions 0.4.0 and earlier Description Unity Catalog is an open, multi-modal Catalog for data and AI. A critical authentication bypass exists in the Unity Catalog token exchange endpoint, /api/1.0/unity-control/auth/tokens. The...

CVE-2026-29792 Feathersjs has an OAuth Callback Account Takeover

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, an unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. The OAuth service's...

GO-2026-4622 OliveTin has JWT Audience Validation Bypass in Local Key and HMAC Modes in github.com/OliveTin/OliveTin

OliveTin has JWT Audience Validation Bypass in Local Key and HMAC Modes in github.com/OliveTin/OliveTin...

Devolutions Server <= 2025.3.15.0 Multiple Vulnerabilities (DEVO-2026-0005)

The version of Devolutions Server installed on the remote host is 2025.3.15.0 or earlier. It is, therefore, affected by multiple vulnerabilities: - Authentication bypass in the Microsoft Entra ID Azure AD authentication mode in Devolutions Server 2025.3.15.0 and earlier allows an unauthenticated...

EUVD-2025-208452

A security vulnerability has been detected in open-webui up to 0.6.16. Affected is an unknown function of the file backend/startwindows.bat of the component JWT Key Handler. Such manipulation of the argument WEBUISECRETKEY leads to insufficiently random values. It is possible to launch the attack...

EUVD-2025-208453

A security vulnerability has been detected in open-webui up to 0.6.16. Affected is an unknown function of the file backend/startwindows.bat of the component JWT Key Handler. Such manipulation of the argument WEBUISECRETKEY leads to insufficiently random values. It is possible to launch the attack...

CVE-2025-15603

Rejected reason: REJECT DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: The vendor explains: "The 't0p-s3cr3t' default was dead code on every supported startup path: start.sh...

EUVD-2026-10172

Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters...

GHSA-X6FW-778M-WR9V Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters

Impact The Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audience configuration option is not set clientId for Google/Apple, appIds for Facebook, JWT verification silently skips audience claim validation. This allows an...