52104 matches found
JWCrypto: python-cryptography: python: JWCrypto: Memory exhaustion via crafted compressed JWE tokens
A flaw was found in JWCrypto, a Python library for JSON Web Key JWK, JSON Web Signature JWS, and JSON Web Encryption JWE specifications. An unauthenticated attacker can exploit this vulnerability by sending specially crafted JWE tokens that use ZIP compression. While the input token size is...
pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)
A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This...
JWCrypto: python-cryptography: python: JWCrypto: Memory exhaustion via crafted compressed JWE tokens
A flaw was found in JWCrypto, a Python library for JSON Web Key JWK, JSON Web Signature JWS, and JSON Web Encryption JWE specifications. An unauthenticated attacker can exploit this vulnerability by sending specially crafted JWE tokens that use ZIP compression. While the input token size is...
Security Bulletin: Jackson-core Async JSON Parser Bypasses maxNumberLength Constraint Leading to DoS
Summary The non-blocking async JSON parser in jackson-core bypasses the maxNumberLength constraint default: 1000 characters defined in StreamReadConstraints. This allows an attacker to send JSON with arbitrarily long numbers through the async parser API, leading to excessive memory allocation and...
RHCOS 6 : ruby193-ruby, rubygem-json and rubygem-rdoc (RHSA-2013:0701)
The remote Red Hat Enterprise Linux CoreOS 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2013:0701 advisory. - rubygem-rdoc: Cross-site scripting in the documentation created by Darkfish Rdoc HTML generator / template CVE-2013-0256 -...
RHEL 10 / 9 : Red Hat Ansible Automation Platform 2.6 Product Security and Bug Fix Update (Important) (RHSA-2026:13508)
The remote Redhat Enterprise Linux 10 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:13508 advisory. Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT...
PT-2026-37053
Name of the Vulnerable Software and Affected Versions apko versions prior to 1.2.7 Description The DiscoverKeys function in pkg/apk/apk/implementation.go performs an unconditional type-assertion of JWKS JSON Web Key Set keys as rsa.PublicKey without verifying the key type. If a repository JWKS...
Astra Linux - уязвимость в libjettison-java
An infinite recursion occurs in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This results in a StackOverflowError exception being thrown...
Astra Linux - уязвимость в cjson
cJSON 1.7.15 may allow a denial of service through a crafted JSON document, such as "a": true, "b": null,9999999999999999999999999999999999999999999999912345678901234567...
Astra Linux - уязвимость в qemu
A flaw was discovered in the QEMU disk image utility’s ‘info’ command. A specially crafted image file containing a json: value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, resulting in denial of service or issues with...
Astra Linux - уязвимость в golang-github-dvsekhvalnov-jose2go
A vulnerability was discovered in dvsekhvalnov jose2go versions 1.5.0 through 1.7.0. This vulnerability allows an attacker to trigger a Denial-of-Service DoS attack by using a specially crafted JSON Web Encryption JWE token with an exceptionally high compression ratio...
Astra Linux - уязвимость в thrift
In Apache Thrift versions 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when receiving invalid input data...
Astra Linux - уязвимость в zabbix
A specially crafted string can cause a buffer overflow in the JSON parser library, resulting in a crash of the Zabbix Server or Zabbix Proxy...
Astra Linux - уязвимость в json-smart
Json-smart is a performance-oriented JSON processor library. When encountering a '' or '' character in the JSON input, the code parses an array or an object respectively. It was discovered that the code has no limitations on the nesting of such arrays or objects. Since the parsing of nested array...
Astra Linux - уязвимость в libcpanel-json-xs-perl
Cpanel::JSON::XS before version 4.40 for Perl has an integer buffer overflow that causes a segfault when parsing crafted JSON, allowing for denial-of-service attacks or other unspecified impacts...
Astra Linux - уязвимость в firefox, thunderbird
An attacker could, through a specially crafted multipart response, execute arbitrary JavaScript under the resource://devtools origin. This would allow them to access cross-origin JSON content. This access is limited to “same site” documents due to the Site Isolation feature on desktop clients, bu...
Astra Linux - уязвимость в node-json-schema
JSON-schema is vulnerable to improperly controlled modification of object prototype attributes known as “Prototype Pollution”...
Astra Linux - уязвимость в ceph
A flaw was discovered in Red Hat Ceph Storage 4, within the Dashboard component. In response to CVE-2020-27839, the JWT token was moved from localStorage to an httpOnly cookie. However, token cookies are used in the body of the HTTP response for documentation purposes, which again exposes them to...
EUVD-2026-26851
A security flaw has been discovered in YunaiV yudao-cloud up to 3.8.0. This affects the function doFilterInternal of the file JwtAuthenticationTokenFilter.java of the component Ruoyi-Vue-Pro. Performing a manipulation of the argument mock-token results in improper authentication. Remote...
CVE-2026-7710
The CVE-2026-7710 issue affects YunaiV yudao-cloud up to version 3.8.0, specifically the JwtAuthenticationTokenFilter.doFilterInternal implementation in Ruoyi-Vue-Pro. A manipulation of the mock-token argument enables improper authentication, with remote exploitation possible. Exploit code is rep...