CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

129 matches found

Friends Of PHP•added 2026/06/06 4:26 p.m.•3 views

PBES2-HS*+A*KW unwrap accepts an unbounded p2c iteration count, enabling CPU-amplification denial of service

Impact When a JWE uses a password-based key-encryption algorithm PBES2-HS256+A128KW, PBES2-HS384+A192KW, PBES2-HS512+A256KW, PBES2AESKW::unwrapKey reads the p2c PBKDF2 iteration count parameter directly from the attacker-controlled JOSE header and passes it to hashpbkdf2 with no upper bound. The...

5.6AI score

Exploits0Affected Software1

RedHat Linux•added 2026/05/19 9:12 a.m.•8 views

openssl: Out-of-bounds read & write in RFC 3211 KEK Unwrap

A flaw was found in the OpenSSL CMS implementation RFC 3211 KEK Unwrap. This vulnerability allows memory corruption, an application level denial of service, or potential execution of attacker-supplied code via crafted CMS messages using password-based encryption PWRI...

7.5CVSS6.8AI score0.0177EPSS

Exploits0References4

OSV•added 2026/04/27 6:33 p.m.•8 views

JLSEC-2026-266

Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a...

7.5CVSS7.9AI score0.0177EPSS

Exploits0References10

SUSE CVE•added 2026/03/24 12:24 a.m.•6 views

SUSE CVE-2026-33204

SimpleJWT is a simple JSON web token library written in PHP. Prior to version 1.1.1, an unauthenticated attacker can perform a Denial of Service via JWE header tampering when PBES2 algorithms are used. Applications that call JWE::decrypt on attacker-controlled JWEs using PBES2 algorithms are...

7.5CVSS5.8AI score0.00481EPSS

Exploits1References3

NVD•added 2026/03/20 11:16 p.m.•3 views

CVE-2026-33204

7.5CVSS0.00481EPSS

Exploits1References2

Vulnrichment•added 2026/03/20 10:37 p.m.•6 views

CVE-2026-33204 SimpleJWT has an Unauthenticated Denial of Service via JWE header tampering

7.5CVSS5.7AI score0.00481EPSS

Exploits1References2

OSV•added 2026/03/20 10:37 p.m.•3 views

CVE-2026-33204 SimpleJWT has an Unauthenticated Denial of Service via JWE header tampering

7.5CVSS5.8AI score0.00481EPSS

Exploits1References4

Cvelist•added 2026/03/20 10:37 p.m.•20 views

CVE-2026-33204 SimpleJWT has an Unauthenticated Denial of Service via JWE header tampering

7.5CVSS0.00481EPSS

Exploits1References2

EUVD•added 2026/03/20 10:37 p.m.•8 views

EUVD-2026-13871

7.5CVSS5.7AI score0.00481EPSS

Exploits1References2

OSV•added 2026/03/18 8:16 p.m.•4 views

GHSA-XW36-67F8-339X SimpleJWT has an Unauthenticated Denial of Service via JWE header tampering

Summary An unauthenticated attacker can perform a Denial of Service via JWE header tampering when PBES2 algorithms are used. Applications that call JWE::decrypt on attacker-controlled JWEs using PBES2 algorithms are affected. Details PHP version: PHP 8.4.11 SimpleJWT version: v1.1.0 The relevant...

7.5CVSS5.9AI score0.00481EPSS

Exploits1References4

Github Security Blog•added 2026/03/18 8:16 p.m.•8 views

SimpleJWT has an Unauthenticated Denial of Service via JWE header tampering

7.5CVSS5.9AI score0.00481EPSS

Exploits1References4Affected Software1

Snyk•added 2026/03/18 8:16 p.m.•5 views

Excessive Iteration

Overview Affected versions of this package are vulnerable to Excessive Iteration via the decryptKey function when processing attacker-controlled JWE headers using PBES2 algorithms. An attacker can cause excessive CPU consumption and exhaust server resources by supplying a JWE with a very large p2...

8.7CVSS5.8AI score0.00481EPSS

Exploits1References2

Positive Technologies•added 2026/03/18 12:0 a.m.•5 views

PT-2026-26212

7.5CVSS6AI score0.00481EPSS

Exploits1References6

Tenable Nessus•added 2026/03/17 12:0 a.m.•6 views

EulerOS Virtualization 2.12.1 : openssl (EulerOS-SA-2026-1450)

According to the versions of the openssl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bound...

7.5CVSS6.6AI score0.0177EPSS

Exploits0References2

Packet Storm•added 2026/03/06 12:0 a.m.•171 views

📄 joserfc JWE PBES2 1.6.2 Denial of Service

A denial of service condition can occur in applications using the joserfc library when processing malicious JSON Web Encryption tokens that use the PBES2-HS256+A128KW algorithm...

7.5CVSS5.8AI score0.00432EPSS

Exploits2

SUSE CVE•added 2026/03/05 6:50 a.m.•5 views

SUSE CVE-2026-27932

joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption JOSE standards. In 1.6.2 and earlier, a resource exhaustion vulnerability in joserfc allows an unauthenticated attacker to cause a Denial of Service DoS via CPU exhaustion. When the library...

7.5CVSS5.8AI score0.00432EPSS

Exploits2References3

RedhatCVE•added 2026/03/04 5:2 a.m.•6 views

CVE-2026-27932

A flaw was found in joserfc, a Python library for JSON Object Signing and Encryption JOSE standards. An unauthenticated attacker can cause a Denial of Service DoS by exploiting a resource exhaustion vulnerability. This occurs when the library decrypts a JSON Web Encryption JWE token using...

7.5CVSS5.8AI score0.00432EPSS

Exploits2References2

OSV•added 2026/03/03 11:15 p.m.•6 views

DEBIAN-CVE-2026-27932

7.5CVSS5.4AI score0.00432EPSS

Exploits2References1

NVD•added 2026/03/03 11:15 p.m.•9 views

CVE-2026-27932

7.5CVSS0.00432EPSS

Exploits2References2