OliveTin has JWT Audience Validation Bypass in Local Key and HMAC Modes

Summary When JWT authentication is configured using either: - authJwtPubKeyPath local RSA public key, or - authJwtHmacSecret HMAC secret, the configured audience value authJwtAud is not enforced during token parsing. As a result, validly signed JWT tokens with an incorrect aud claim are accepted...

Exploit for CVE-2026-29000

CVE-2026-29000: pac4j-jwt JwtAuthenticator authentication bypa...

CVE-2026-30795

Cleartext Transmission of Sensitive Information vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android Heartbeat sync loop modules allows Sniffing Attacks. This vulnerability is associated with program files src/hbbshttp/sync.Rs and program routine...

SUSE-SU-2026:20685-1 Security update for helm

This update for helm fixes the following issues: - Update to version 3.19.1: CVE-2025-47911: golang.org/x/net/html: Fixed various algorithms with quadratic complexity when parsing HTML documents bsc1251442 CVE-2025-58190: golang.org/x/net/html: Fixed xcessive memory consumption by...

OPENSUSE-SU-2026:20327-1 Security update for helm

This update for helm fixes the following issues: - Update to version 3.19.1: CVE-2025-47911: golang.org/x/net/html: Fixed various algorithms with quadratic complexity when parsing HTML documents bsc1251442 CVE-2025-58190: golang.org/x/net/html: Fixed xcessive memory consumption by...

SUSE CVE-2026-27601

Underscore.js is a utility-belt library for JavaScript. Prior to 1.13.8, the .flatten and .isEqual functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service DoS attack by triggering a stack overflow...

SUSE CVE-2026-27932

joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption JOSE standards. In 1.6.2 and earlier, a resource exhaustion vulnerability in joserfc allows an unauthenticated attacker to cause a Denial of Service DoS via CPU exhaustion. When the library...

Blueprint-POC

Sales-to-Delivery Agent Orchestration System - POC Phase 1...

com.efluid.oss:efluid-datagate-app (>=3.1.3 <=6.1.5), com.efluid.oss:efluid-datagate-app-cucumber (>=3.1.3 <=6.1.5) +5 more potentially affected by CVE-2026-29000 via org.pac4j:pac4j-jwt (>=5.0.1 <=5.7.8)

org.pac4j:pac4j-jwt MAVEN version =5.0.1, =3.1.3, =3.1.3, =0.8.0, =0.8.0, =2.0.6, =2.2.1, =2.0.6, =2.1.0 Source cves: CVE-2026-29000 Source advisory: SNYK:JAVA-ORGPAC4J-15428218...

[SECURITY] Fedora 42 Update: php-zumba-json-serializer-3.2.4-1.fc42

This is a library to serialize PHP variables in JSON format. It is similar of the serialize function in PHP, but the output is a string JSON encoded. You can also unserialize the JSON generated by this tool and have you PHP content back. Autoloader: /usr/share/php/Zumba/JsonSerializer/autoload.ph...

[SECURITY] Fedora 43 Update: php-zumba-json-serializer-3.2.4-1.fc43

This is a library to serialize PHP variables in JSON format. It is similar of the serialize function in PHP, but the output is a string JSON encoded. You can also unserialize the JSON generated by this tool and have you PHP content back. Autoloader: /usr/share/php/Zumba/JsonSerializer/autoload.ph...

Fedora: Security Advisory (FEDORA-2026-5ff99e948e)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Fedora: Security Advisory (FEDORA-2026-d781fd2f6b)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

PT-2026-23613

Name of the Vulnerable Software and Affected Versions OliveTin versions prior to 3000.11.1 Description OliveTin allows access to predefined shell commands from a web interface. When JWT authentication is configured using a local RSA public key authJwtPubKeyPath or an HMAC secret authJwtHmacSecret...

CVE-2026-29000

pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forge authentication tokens. Attackers who possess the server's RSA public key can create a JWE-wrapped PlainJWT wi...

CVE-2026-29000

CVE-2026-29000 affects pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3. The issue is an authentication bypass in JwtAuthenticator when handling encrypted JWTs, enabling an attacker who has the server’s RSA public key to forge a JWE-wrapped PlainJWT with arbitrary subject and role claims. This...

GHSA-6V53-7C9G-W56R jackson-core has Nesting Depth Constraint Bypass in `UTF8DataInputJsonParser` potentially allowing Resource Exhaustion

Summary The UTF8DataInputJsonParser, which is used when parsing from a java.io.DataInput source, bypasses the maxNestingDepth constraint default: 500 defined in StreamReadConstraints. A similar issue was found in ReaderBasedJsonParser. This allows a user to supply a JSON document with excessive...

jackson-core has Nesting Depth Constraint Bypass in `UTF8DataInputJsonParser` potentially allowing Resource Exhaustion

Summary The UTF8DataInputJsonParser, which is used when parsing from a java.io.DataInput source, bypasses the maxNestingDepth constraint default: 500 defined in StreamReadConstraints. A similar issue was found in ReaderBasedJsonParser. This allows a user to supply a JSON document with excessive...

Improper Verification of Cryptographic Signature

Overview authlib is a library in building OAuth and OpenID Connect servers. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in jwt.decode, which accepts alg: none. An attacker can gain unauthorized access, escalate privileges, or modify...

Authlib: Setting `alg: none` and a blank signature appears to bypass signature verification

Summary After upgrading the library from 1.5.2 to 1.6.0 and the latest 1.6.5 it was noticed that previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application code when a failure was...