CVE-2025-62610 Hono Improperly Authorizes JWT Audience Validation

Hono is a Web application framework that provides support for any JavaScript runtime. In versions from 1.1.0 to before 4.10.2, Hono’s JWT Auth Middleware does not provide a built-in aud Audience verification option, which can cause confused-deputy / token-mix-up issues: an API may accept a valid...

CVE-2025-62610 Hono Improperly Authorizes JWT Audience Validation

Hono is a Web application framework that provides support for any JavaScript runtime. In versions from 1.1.0 to before 4.10.2, Hono’s JWT Auth Middleware does not provide a built-in aud Audience verification option, which can cause confused-deputy / token-mix-up issues: an API may accept a valid...

CVE-2025-62610

Hono's JWT Auth Middleware (versions 1.1.0 up to before 4.10.2) did not validate the aud (Audience) claim, potentially allowing tokens intended for other audiences to access a service. The issue is documented across multiple sources and is resolved by upgrading to version 4.10.2 or later. Affecte...

GHSA-M732-5P4W-X69G Hono Improper Authorization vulnerability

Improper Authorization in Hono JWT Audience Validation Hono’s JWT authentication middleware did not validate the aud Audience claim by default. As a result, applications using the middleware without an explicit audience check could accept tokens intended for other audiences, leading to potential...

Hono 授权问题漏洞

Hono is a web framework written in TypeScript from the Hono community. An authorization issue vulnerability exists in Hono versions 1.1.0 through prior to 4.10.2, which stems from the lack of built-in audience validation options in the JWT Auth Middleware, and could lead to token obfuscation and...

CVE-2025-62647

The Restaurant Brands International RBI assistant platform through 2025-09-06 provides the functionality of returning a JWT that can be used to call an API to return a signed AWS upload URL, for any store's path...

CVE-2025-6950

CVE-2025-6950 affects Moxa network security appliances and routers. The flaw is use of a hard-coded key to sign JWTs, enabling an unauthenticated attacker to forge tokens and impersonate any user, leading to complete compromise of the affected device (confidentiality, integrity, availability). Th...

CVE-2025-6950

An Use of Hard-coded Credentials vulnerability has been identified in Moxa’s network security appliances and routers. The system employs a hard-coded secret key to sign JSON Web Tokens JWT used for authentication. This insecure implementation allows an unauthenticated attacker to forge valid...

Moxa多款产品 安全漏洞

MOXA EDF-G1002-BP Series and so on are products of Moxa China.MOXA EDF-G1002-BP Series is a series of industrial-grade local area network LAN firewalls.Moxa EDR-8010 Series and so on are products of Moxa Taiwan.Moxa EDR-8010 Series is a series of secure routers.Moxa EDR-G9010 Series is a series o...

CVE-2025-62647

The Restaurant Brands International RBI assistant platform through 2025-09-06 provides the functionality of returning a JWT that can be used to call an API to return a signed AWS upload URL, for any store's path...

CVE-2025-62647

The Restaurant Brands International RBI assistant platform through 2025-09-06 provides the functionality of returning a JWT that can be used to call an API to return a signed AWS upload URL, for any store's path...

EUVD-2025-34751

Strapi is vulnerable to Insufficient Session Expiration...

CVE-2025-3930

Strapi uses JSON Web Tokens JWT for authentication. After logout or account deactivation, the JWT is not invalidated, which allows an attacker who has stolen or intercepted the token to freely reuse it until its expiration date which is set to 30 days by default, but can be changed. The existence...

CVE-2025-3930

Strapi is affected by CVE-2025-3930 due to improper JWT handling: after logout or account deactivation, tokens are not invalidated, enabling an attacker to reuse stolen or intercepted tokens until their expiry. The presence of the publicly accessible /admin/renew-token endpoint further enables ne...

EUVD-2025-34544

The OwnID Passwordless Login plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.4. This is due to the plugin not properly checking if the ownidsharedsecret value is empty prior to authenticating a user via JWT. This makes it possible for...

CVE-2025-56749

The CVE-2025-56749 issue affects Creativeitem Academy LMS up to version 6.14, where a hardcoded default JWT secret allows forging valid tokens, enabling authentication bypass and unauthorized access to user accounts. Multiple connected sources corroborate the vulnerability across NVD, Red Hat, EN...

CVE-2025-56749

Creativeitem Academy LMS up to and including 6.14 uses a hardcoded default JWT secret for token signing. This predictable secret allows attackers to forge valid JWT tokens, leading to authentication bypass and unauthorized access to any user account...

CVE-2025-56749

Creativeitem Academy LMS up to and including 6.14 uses a hardcoded default JWT secret for token signing. This predictable secret allows attackers to forge valid JWT tokens, leading to authentication bypass and unauthorized access to any user account...

Creativeitem Academy LMS 安全漏洞

Creativeitem Academy LMS is an online learning management system from Creativeitem Bangladesh. A security vulnerability exists in Creativeitem Academy LMS version 6.14 and earlier, which stems from the use of a hard-coded default JWT key for token signing, which could lead to authentication bypas...

CVE-2025-57618

CVE-2025-57618 describes a path traversal vulnerability in StarNet FastX3 up to version 3.3.67. An unauthenticated attacker can read arbitrary server files, including configuration files containing the JWT signing secret and existing JTIs. This enables forging valid JWTs, potentially impersonatin...