PT-2026-44397

PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option "b64": false, RFC 7797, PyJWT performs Base64URL decoding of the compact-serialization payload segment before enforcing the detached-payload rules. For...

RockyLinux 9 : mariadb:11.8 (RLSA-2026:19182)

The remote RockyLinux 9 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2026:19182 advisory. MariaDB: MariaDB: Remote Code Execution or Denial of Service via JSONSCHEMAVALID function vulnerability CVE-2026-32710 Tenable has extracted the preceding...

mail/mailpit -- memory-exhaustion DoS via unbounded JSON body

Mailpit author reports: Sibling-endpoint memory-exhaustion DoS via unbounded JSON body on /api/v1/messages, /api/v1/tags, and /api/v1/message/id/release...

pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)

A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This...

CVE-2026-45322 OS Command Injection in Microsoft UFO Shell Action Replay via Stored Session JSON

Microsoft UFO open-source framework for intelligent automation across devices and platforms. Microsoft UFO tagged releases up to and including v3.0.0 contain an OS command injection vulnerability in the shell action replay path. In affected releases, ShellReceiver.runshell passes a command string...

CVE-2026-44720 OpenLearnX: Critical Authentication Bypass via JWT Signature Verification Disabled Leading to Account Takeover

OpenLearnX is an open-source, decentralized learning and assessment platform. Prior to 2.0.4, a critical authentication vulnerability was identified in OpenLearnX that could allow unauthorized access to user accounts under specific conditions. This vulnerability is fixed in 2.0.4...

CVE-2026-44720 OpenLearnX: Critical Authentication Bypass via JWT Signature Verification Disabled Leading to Account Takeover

OpenLearnX is an open-source, decentralized learning and assessment platform. Prior to 2.0.4, a critical authentication vulnerability was identified in OpenLearnX that could allow unauthorized access to user accounts under specific conditions. This vulnerability is fixed in 2.0.4...

CVE-2026-44660

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.12.1, when ujson.dump writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each failed write operatio...

CVE-2026-41164

nuts-node is the reference implementation of the Nuts specification. Prior to 6.2.3 and 5.4.31, the v1 access token introspection endpoint /auth/v1/introspectaccesstoken accepts any JWT signed by a key present on the node, without validating the JWT type, issuer-to-key binding, or required claims...

CVE-2026-47202

Kavita is a cross platform reading server. Prior to 0.9.0.2, an Improper Token validation flaw permits a remote and unauthenticated threat actor to request a JWT for any user including admins given knowledge of their username. This vulnerability is fixed in 0.9.0.2...

Uncontrolled Recursion

Overview Affected versions of this package are vulnerable to Uncontrolled Recursion through the DAG-CBOR and DAG-JSON decoders. An attacker can cause a fatal stack overflow by submitting payloads with deeply nested collections. Remediation Upgrade github.com/ipld/go-ipld-prime/codec/dagcbor to...

Uncontrolled Recursion

Overview Affected versions of this package are vulnerable to Uncontrolled Recursion through the DAG-CBOR and DAG-JSON decoders. An attacker can cause a fatal stack overflow by submitting payloads with deeply nested collections. Remediation Upgrade github.com/ipld/go-ipld-prime/codec/dagjson to...

Denial of Service (DoS)

Overview Affected versions of this package are vulnerable to Denial of Service DoS via the apiHandler and webHandlerTelegramBot processes. An attacker can cause the application to exhaust system memory and crash by sending an extremely large or endless JSON payload over a single TCP connection...

CVE-2026-44635

Kysely is a type-safe TypeScript SQL query builder. From 0.26.0 to 0.28.16, DefaultQueryCompiler.visitJSONPathLeg does not escape JSON-path metacharacters ., , , , , ?. When attacker-controlled input flows into eb.refcol, '-$'.keyinput or .atinput — including type-safe code where the JSON column ...

CVE-2026-44635

Kysely is a type-safe TypeScript SQL query builder. From 0.26.0 to 0.28.16, DefaultQueryCompiler.visitJSONPathLeg does not escape JSON-path metacharacters ., , , , , ?. When attacker-controlled input flows into eb.refcol, '-$'.keyinput or .atinput — including type-safe code where the JSON column ...

CVE-2026-44635

Kysely CVE-2026-44635 affects versions 0.26.0 through 0.28.16. The vulnerability resides in the JSON path builder: DefaultQueryCompiler.visitJSONPathLeg and related code do not escape JSON-path metacharacters (., [, ], *, **, ?). Attacker-controlled input used in eb.ref(col, '->$').key(input) ...

EUVD-2026-32623

Kysely is a type-safe TypeScript SQL query builder. From 0.26.0 to 0.28.16, DefaultQueryCompiler.visitJSONPathLeg does not escape JSON-path metacharacters ., , , , , ?. When attacker-controlled input flows into eb.refcol, '-$'.keyinput or .atinput — including type-safe code where the JSON column ...

CVE-2026-44635 Kysely: JSON-path traversal injection via unsanitized path-leg metacharacters in `JSONPathBuilder.key()` / `.at()`

Kysely is a type-safe TypeScript SQL query builder. From 0.26.0 to 0.28.16, DefaultQueryCompiler.visitJSONPathLeg does not escape JSON-path metacharacters ., , , , , ?. When attacker-controlled input flows into eb.refcol, '-$'.keyinput or .atinput — including type-safe code where the JSON column ...

CVE-2026-45089

Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is run in REST API server mode, the output, output-all, and debug fields in model.Options are JSON-tagged and deserialized directly from the attacker's request body, then propagated...

CVE-2026-45047

The CVE affects the Go project bird-lg-go. Before version 1.4.5, apiHandler (and webHandlerTelegramBot) directly decode user-provided JSON via json.NewDecoder(r.Body).Decode(&request) without a maximum read size, enabling an unauthenticated attacker to stream a very large or endless JSON payload ...