Lucene search
K

217 matches found

Snyk
Snyk
added 2026/04/09 10:10 p.m.5 views

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the authentication for Google OIDC tokens in the GCR Receiver webhook endpoint. An attacker can trigger unauthorized reconciliation of resources by presenting any valid Google-issued...

6.3CVSS5.8AI score0.00127EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/09 4:41 p.m.12 views

fast-jwt has a ReDoS when using RegExp in allowed* leading to CPU exhaustion during token verification

⚠️ IMPORTANT CLARIFICATIONS Affected Configurations This vulnerability ONLY affects applications that: - Use RegExp objects not strings in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options - Configure patterns susceptible to catastrophic backtracking - Example: allowedAud...

6.5CVSS6AI score0.00262EPSS
Exploits1References6Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/09 2:55 p.m.1 views

CVE-2026-35041 ReDoS in fast-jwt when using RegExp in allowed* leading to CPU exhaustion during token verification

fast-jwt provides fast JSON Web Token JWT implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the...

4.2CVSS5.9AI score0.00262EPSS
Exploits1References4
CVE
CVE
added 2026/04/09 2:55 p.m.13 views

CVE-2026-35041

The CVE affects fast-jwt versions 5.0.0 through 6.2.0 where allowedAud verification uses a RegExp. The attacker-controlled aud claim, when matched against the provided RegExp, can trigger catastrophic backtracking in the JavaScript engine, causing CPU exhaustion during token verification. This vu...

6.5CVSS5.9AI score0.00262EPSS
Exploits1References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/09 12:0 a.m.6 views

PT-2026-31621

fast-jwt provides fast JSON Web Token JWT implementation. Prior to 6.2.1, using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are statef...

5.3CVSS5.9AI score0.00383EPSS
Exploits1References5
RedhatCVE
RedhatCVE
added 2026/04/07 5:3 p.m.4 views

CVE-2026-35039

fast-jwt provides fast JSON Web Token JWT implementation. From 0.0.1 to before 6.2.0, setting up a custom cacheKeyBuilder method which does not properly create unique keys for different tokens can lead to cache collisions. This could cause tokens to be mis-identified during the verification proce...

9.1CVSS5.9AI score0.00212EPSS
Exploits0References1
NVD
NVD
added 2026/04/06 5:17 p.m.4 views

CVE-2026-35039

fast-jwt provides fast JSON Web Token JWT implementation. From 0.0.1 to before 6.2.0, setting up a custom cacheKeyBuilder method which does not properly create unique keys for different tokens can lead to cache collisions. This could cause tokens to be mis-identified during the verification proce...

9.1CVSS0.00212EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/04/06 4:59 p.m.2 views

CVE-2026-35039

fast-jwt provides fast JSON Web Token JWT implementation. From 0.0.1 to before 6.2.0, setting up a custom cacheKeyBuilder method which does not properly create unique keys for different tokens can lead to cache collisions. This could cause tokens to be mis-identified during the verification proce...

9.1CVSS5.9AI score0.00212EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 10:1 p.m.14 views

fast-jwt accepts unknown `crit` header extensions (RFC 7515 violation)

Summary fast-jwt does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that fast-jwt does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. ---...

7.5CVSS5.9AI score0.00155EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 4:7 a.m.6 views

fast-jwt: Cache Confusion via cacheKeyBuilder Collisions Can Return Claims From a Different Token (Identity/Authorization Mixup)

NOTE: While the library exposes a mechanism which could introduce the vulnerability, this issue is created by developer-supplied code and not by the library itself. We will add a warning and some education for users around the possible issues however since the defaults work we will not be updatin...

9.1CVSS6AI score0.00212EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/03 12:0 a.m.10 views

PT-2026-30280

Summary fast-jwt does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that fast-jwt does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. ---...

7.5CVSS5.9AI score0.00244EPSS
Exploits2References6
Snyk
Snyk
added 2026/04/01 10:30 p.m.6 views

Directory Traversal

Overview phpmyfaq/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Directory Traversal via the index function in MediaBrowserController when the fileRemove action is triggered and user input is concatenated with the...

8.7CVSS6.5AI score0.00693EPSS
Exploits1References2
NVD
NVD
added 2026/04/01 9:17 p.m.5 views

CVE-2026-34531

Flask-HTTPAuth provides Basic, Digest and Token HTTP authentication for Flask routes. Prior to version 4.8.1, in a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token...

8.2CVSS0.00324EPSS
Exploits0References4
UbuntuCve
UbuntuCve
added 2026/04/01 9:17 p.m.5 views

CVE-2026-34531

Flask-HTTPAuth provides Basic, Digest and Token HTTP authentication for Flask routes. Prior to version 4.8.1, in a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token...

8.2CVSS5.8AI score0.00324EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/04/01 8:44 p.m.2 views

CVE-2026-34531

Flask-HTTPAuth provides Basic, Digest and Token HTTP authentication for Flask routes. Prior to version 4.8.1, in a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token...

6.5CVSS5.8AI score0.00324EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2026/04/01 8:44 p.m.28 views

CVE-2026-34531

CVE-2026-34531 affects Flask-HTTPAuth (Python package) and concerns the token verification callback receiving an empty string when a request targets a token-protected resource without a token or with an empty token. This could allow authentication against any user whose token is an empty string. ...

8.2CVSS5.8AI score0.00324EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/04/01 8:44 p.m.30 views

CVE-2026-34531 Flask-HTTPAuth invokes token verification callback when missing or empty token was given by client

Flask-HTTPAuth provides Basic, Digest and Token HTTP authentication for Flask routes. Prior to version 4.8.1, in a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token...

6.5CVSS0.00324EPSS
Exploits0References3
Snyk
Snyk
added 2026/03/31 11:48 p.m.4 views

Improper Authentication

Overview Flask-HTTPAuth is a HTTP authentication for Flask routes Affected versions of this package are vulnerable to Improper Authentication in the token verification process. An attacker can gain unauthorized access by submitting a request with a missing or empty token if the application stores...

8.3CVSS5.7AI score0.00324EPSS
Exploits0References2
GitLab Advisory Database
GitLab Advisory Database
added 2026/03/31 12:0 a.m.12 views

Flask-HTTPAuth invokes token verification callback when missing or empty token was given by client

In a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token verification callback function with the token argument set to an empty string. If the application had any users in...

8.2CVSS5.9AI score0.00324EPSS
Exploits0References6Affected Software1
RedhatCVE
RedhatCVE
added 2026/03/26 3:14 p.m.7 views

CVE-2025-69238

Raytha CMS is vulnerable to Cross-Site Request Forgery across multiple endpoints. Attacker can craft special website, which when visited by the authenticated victim, will automatically send POST request to the endpoint e. x. deletion of the data without enforcing token verification. This issue wa...

6.9CVSS5.8AI score0.00121EPSS
Exploits0References1
Rows per page
Query Builder