PT-2026-2130

Name of the Vulnerable Software and Affected Versions CryptoLib versions prior to 1.4.3 Description CryptoLib is a software solution utilizing the CCSDS Space Data Link Security Protocol - Extended Procedures SDLS-EP to secure communications between a spacecraft and a ground station. An...

PT-2026-2247

Name of the Vulnerable Software and Affected Versions CryptoLib versions prior to 1.4.3 Description CryptoLib is a software solution utilizing the CCSDS Space Data Link Security Protocol - Extended Procedures SDLS-EP for secure communication between spacecraft and ground stations. Versions prior ...

PT-2026-1846

Name of the Vulnerable Software and Affected Versions XWiki versions prior to 2.4.6 Description The XWiki Full Calendar Macro displays objects from the wiki on a calendar. Users with permission to view the Calendar.JSONService page, including guest users, can access database information, excludin...

WordPress Templately plugin <= 3.4.8 - Unauthenticated Limited Arbitrary JSON File Write vulnerability

Unauthenticated Limited Arbitrary JSON File Write vulnerability discovered by type5afe in WordPress Plugin Templately versions = 3.4.8...

jose-swift has JWT Signature Verification Bypass via None Algorithm

Summary An authentication bypass vulnerability allows any unauthenticated attacker to forge arbitrary JWT tokens by setting "alg": "none" in the token header. The library's verification functions immediately return true for such tokens without performing any cryptographic verification, enabling...

Use of a Broken or Risky Cryptographic Algorithm

Overview beatt83/jose-swift is a comprehensive support for the Jose suite of standards, including JWA JSON Web Algorithms, JWK JSON Web Key, JWE JSON Web Encryption, JWS JSON Web Signature, and JWT JSON Web Token. Affected versions of this package are vulnerable to Use of a Broken or Risky...

GHSA-88Q6-JCJG-HVMW jose-swift has JWT Signature Verification Bypass via None Algorithm

Summary An authentication bypass vulnerability allows any unauthenticated attacker to forge arbitrary JWT tokens by setting "alg": "none" in the token header. The library's verification functions immediately return true for such tokens without performing any cryptographic verification, enabling...

EUVD-2026-1693

jose-swift has JWT Signature Verification Bypass via None Algorithm...

CVE-2023-43983

Presto Changeo attributegrid up to 2.0.3 was discovered to contain a SQL injection vulnerability via the component disablejson.php...

CVE-2021-27884

Weak JSON Web Token JWT signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used...

CVE-2021-33483

An issue was discovered in CommentsService.ashx in OnyakTech Comments Pro 3.8. The comment posting functionality allows an attacker to add an XSS payload to the JSON request that will execute when users visit the page with the comment...

CVE-2021-33438

An issue was discovered in mjs mJS: Restricted JavaScript engine, ES6 JavaScript version 6. There is stack buffer overflow in jsonparsearray in mjs.c...

CVE-2021-31875

In mjsjson.c in Cesanta MongooseOS mJS 1.26, a maliciously formed JSON string can trigger an off-by-one heap-based buffer overflow in mjsjsonparse, which can potentially lead to redirection of control flow. NOTE: the original reporter disputes the significance of this finding because "there isn’t...

CVE-2016-10843

cPanel before 11.54.0.4 allows code execution in the context of shared users via JSON-API SEC-76...

CVE-2025-40930

JSON::SIMD before version 1.07 and earlier for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact...

CVE-2022-38493

Rhonabwy 0.9.99 through 1.1.x before 1.1.7 doesn't check the RSA private key length before RSA-OAEP decryption. This allows attackers to cause a Denial of Service via a crafted JWE JSON Web Encryption token...

CVE-2022-42743

deep-parse-json version 1.0.2 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the 'proto' property to be edited...

CVE-2022-37775

Genesys PureConnect Interaction Web Tools Chat Service up to at least 26- September- 2019 allows XSS within the Printable Chat History via the participant - name JSON POST parameter...

CVE-2022-0220

The checkprivacysettings AJAX action of the WordPress GDPR WordPress plugin before 1.9.27, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type. Since an HTML payload isn't properly escaped, it may be interpreted by a web...

CVE-2022-35493

A Cross-site scripting XSS vulnerability in json search parse and the json response in wrteam.in, eShop - Multipurpose Ecommerce Store Website version 3.0.4 allows remote attackers to inject arbitrary web script or HTML via the getproducts?search parameter...