CVE-2026-39999

Authentication Bypass by Spoofing vulnerability in Apache APISIX. The attacker can completely bypass authentication capitalising on certain configurations of jwt-auth plugin. This issue affects Apache APISIX: from v2.2 through v3.16.0. Users are recommended to upgrade to version v3.17.0, which...

CVE-2025-12822 WP Login and Register using JWT <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) API Key Exposure

The WP Login and Register using JWT plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mojwtgeneratenewapikey' function in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2025-12822 WP Login and Register using JWT <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) API Key Exposure

The WP Login and Register using JWT plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mojwtgeneratenewapikey' function in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level...

EUVD-2021-14067

Malware in sbrugna...

CVE-2021-27306

An improper access control vulnerability in the JWT plugin in Kong Gateway prior to 2.3.2.0 allows unauthenticated users access to authenticated routes without a valid token JWT...

Simple JWT Login < 3.2.1 - Arbitrary Settings Update to Site Takeover via CSRF

The plugin does not have nonce checks when saving its settings, allowing attackers to make a logged in admin changed them. Settings such as HMAC verification secret, account registering and default user roles can be updated, which could result in site takeover. The following HTML code can be used...

CVE-2021-27306

An improper access control vulnerability in the JWT plugin in Kong Gateway prior to 2.3.2.0 allows unauthenticated users access to authenticated routes without a valid token JWT...

Improper access control

An improper access control vulnerability in the JWT plugin in Kong Gateway prior to 2.3.2.0 allows unauthenticated users access to authenticated routes without a valid token JWT...

CVE-2021-27306

CVE-2021-27306 involves Kong Gateway’s JWT plugin, where an improper access control flaw lets unauthenticated users reach authenticated routes without a valid JWT. The issue affects Kong Gateway versions before 2.3.2.0 and stems from insufficient authorization checks in the JWT plugin. Impact is ...

CVE-2021-27306

An improper access control vulnerability in the JWT plugin in Kong Gateway prior to 2.3.2.0 allows unauthenticated users access to authenticated routes without a valid token JWT...