Lucene search
K

416 matches found

PyPA
PyPA
added 2026/05/28 4:16 p.m.14 views

PYSEC-2026-179

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the...

7.4CVSS5.8AI score0.00394EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2026/05/27 9:2 p.m.32 views

CVE-2026-44720 OpenLearnX: Critical Authentication Bypass via JWT Signature Verification Disabled Leading to Account Takeover

OpenLearnX is an open-source, decentralized learning and assessment platform. Prior to 2.0.4, a critical authentication vulnerability was identified in OpenLearnX that could allow unauthorized access to user accounts under specific conditions. This vulnerability is fixed in 2.0.4...

6.9CVSS0.00207EPSS
Exploits0References1
CVE
CVE
added 2026/05/26 5:30 p.m.42 views

CVE-2026-47202

Kavita (cross‑platform reading server) before version 0.9.0.2 is affected by an improper token validation flaw that allows a remote, unauthenticated attacker to obtain a JWT for any user, including admins, given knowledge of the username. The issue stems from inadequate validation of tokens and i...

9.3CVSS5.7AI score0.00171EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/05/26 12:0 a.m.11 views

kavita 安全漏洞

Kavita is a fast and feature-rich cross-platform reading server developed by Kavita OpenSource. Versions of Kavita prior to 0.9.0.2 contained security vulnerabilities. These vulnerabilities stemmed from improper token verification, which could allow remote unauthenticated attackers to obtain user...

9.3CVSS5.8AI score0.00171EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/19 9:50 p.m.7 views

Insertion of Sensitive Information into Externally-Accessible File or Directory

Overview apache-airflow-providers-cncf-kubernetes is a Provider for Apache Airflow. Implements apache-airflow-providers-cncf-kubernetes package Affected versions of this package are vulnerable to Insertion of Sensitive Information into Externally-Accessible File or Directory via the exposure of J...

8.7CVSS5.8AI score0.00156EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/19 7:19 p.m.46 views

CVE-2026-27173 Apache Airflow CNCF Kubernetes provider: JWT Token Exposure in KubernetesExecutor Command-Line Arguments

JWT tokens that were used by workers in Kubernetes Executors have been exposed to users who had read only access to Kuberentes Pods. This could allow users with just read-only access to perform actions that were only available to running tasks via Task SDK and potentially allow to modify state of...

0.00156EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/05/19 12:0 a.m.12 views

Apache Airflow 安全漏洞

Apache Airflow is an open-source platform developed by the Apache Foundation in the United States. It allows for the creation, management, and monitoring of workflows. This platform features scalability and dynamic monitoring capabilities. There is a security vulnerability in Apache Airflow, whic...

8.7CVSS6AI score0.00156EPSS
Exploits0References1
NVD
NVD
added 2026/05/16 4:16 p.m.19 views

CVE-2021-47942

Home Assistant Community Store HACS prior to 1.10.0 contains a path traversal vulnerability that allows unauthenticated attackers to read sensitive files by traversing directories via the /hacsfiles/ endpoint. Attackers can retrieve the .storage/auth file containing user credentials and refresh...

8.7CVSS0.00498EPSS
Exploits1References4
EUVD
EUVD
added 2026/05/16 3:28 p.m.10 views

EUVD-2021-34838

Home Assistant Community Store HACS 1.10.0 contains a path traversal vulnerability that allows unauthenticated attackers to read sensitive files by traversing directories via the /hacsfiles/ endpoint. Attackers can retrieve the .storage/auth file containing user credentials and refresh tokens, th...

8.7CVSS5.8AI score0.00498EPSS
Exploits1References4
CNNVD
CNNVD
added 2026/05/15 12:0 a.m.11 views

libjwt 加密问题漏洞

LibJWT is a C-language library developed by Ben Collins, designed for generating and verifying JSON Web Tokens. Versions 3.0.0 to 3.3.2 of LibJWT contain vulnerabilities related to encryption. These vulnerabilities arise from accepting RSA JWKs without an alg parameter as the verification key for...

9.1CVSS5.8AI score0.00209EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/05/14 1:13 p.m.18 views

Fleet Windows MDM Azure AD JWT Authentication Bypass

Summary A vulnerability in Fleet's Windows MDM enrollment flow allows authentication tokens from any Azure AD tenant to be accepted. Because Fleet validates JWT signatures using Microsoft's multi-tenant JWKS endpoint but does not enforce the aud audience or iss issuer claims, any Microsoft-signed...

8.2CVSS5.8AI score0.00381EPSS
Exploits0References4Affected Software1
Snyk
Snyk
added 2026/05/13 1:39 a.m.8 views

Improper Verification of Cryptographic Signature

Overview openlearnx is an OpenLearnX is an AI-powered learning platform with adaptive quizzes, coding practice, course tracking, and dashboard analytics. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the JWT signature verification process...

6.9CVSS5.8AI score0.00207EPSS
Exploits0References3
NVD
NVD
added 2026/05/08 6:16 a.m.29 views

CVE-2024-46508

yeti-platform yeti before 2.1.12 allows attackers to generate valid JWT tokens is the secret is not changed by setting YETIAUTHSECRETKEY to a value other than SECRET...

7.5CVSS0.00429EPSS
Exploits3References2
CNNVD
CNNVD
added 2026/05/08 12:0 a.m.8 views

AstrBot 安全漏洞

AstrBot is an open-source multi-platform LLM chatbot and development framework created by AstrBot. Version 3.5.15 of AstrBot contains a security vulnerability, which stems from the use of hard-coded private keys for signing JWTs...

7.3CVSS5.8AI score0.00281EPSS
Exploits2References1
EUVD
EUVD
added 2026/05/08 12:0 a.m.9 views

EUVD-2024-55571

yeti-platform yeti before 2.1.12 allows attackers to generate valid JWT tokens is the secret is not changed by setting YETIAUTHSECRETKEY to a value other than SECRET...

7.5CVSS5.8AI score0.03919EPSS
Exploits3References1
CNNVD
CNNVD
added 2026/05/08 12:0 a.m.10 views

Yeti Platform 信任管理问题漏洞

Yeti Platform is an open-source daily threat intelligence platform developed by Yeti Platform. Versions of Yeti Platform prior to 2.1.12 had a trust management vulnerability. This vulnerability occurred because allowing attackers to generate valid JWT tokens occurred without changing the...

7.5CVSS5.8AI score0.00429EPSS
Exploits3References1
Github Security Blog
Github Security Blog
added 2026/05/07 2:57 a.m.9 views

Daptin's Session Management Vulnerability Leads to Insufficient Session Expiration After Password Change

Summary A session invalidation vulnerability exists in daptin's authentication system where JSON Web Tokens JWTs remain fully valid after a user changes their password. The JWT validation middleware CheckJWT only verifies token signature, expiry, issuer, and signing algorithm — it does not check...

5.9AI score
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/06 12:0 a.m.19 views

PT-2026-38307

Name of the Vulnerable Software and Affected Versions fast-jwt versions prior to 6.2.4 Description An authentication bypass exists in the asynchronous key-resolver flow. When an application's key resolver returns an empty string '' or a zero-length Buffer, the software converts this to a...

9.1CVSS5.9AI score0.00236EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/04/25 10:49 a.m.8 views

CVE-2026-22748

A flaw was found in Spring Security. When an application is configured to decode JSON Web Tokens JWTs using NimbusJwtDecoder or NimbusReactiveJwtDecoder, it may not properly validate these tokens if an OAuth2TokenValidator is not explicitly configured. This oversight could allow an attacker with...

6.5CVSS5.3AI score0.00203EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/04/22 12:0 a.m.10 views

Fullstep 访问控制错误漏洞

Fullstep is a corporate procurement and supply chain management platform developed by Fullstep Inc. The Fullstep V5 version contains an access control vulnerability. This vulnerability stems from insufficient access control during the registration process, allowing unauthenticated users to obtain...

8.7CVSS5.8AI score0.0027EPSS
Exploits0References1
Rows per page
Query Builder