CVE-2025-68620

CVE-2025-68620 concerns Signal K Server (v2.19.0 prior) where two flaws enable JWT token theft without authentication. First, Unauthenticated WebSocket Request Enumeration: connecting to the stream endpoint with serverevents=all exposes cached ACCESS_REQUEST events to readonly/unauthenticated use...

CVE-2025-68620 Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling

Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 expose two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combines WebSocket-based request enumeration with unauthenticated...

EUVD-2025-22327

Malicious code in bioql PyPI...

Cross site scripting

In Requarks wiki.js, versions 2.0.0-beta.147 to 2.5.255 are affected by Stored XSS vulnerability, where a low privileged editor user can upload a SVG file that contains malicious JavaScript while uploading assets in the page. That will send the JWT tokens to the attacker’s server and will lead to...