139 matches found
CVE-2026-22817
Hono JWT verification middleware (JWK/JWKS) allowed the JWT header alg to influence signature checks if the JWK didn’t specify an algorithm, enabling potential JWT algorithm confusion and, in some configurations, forged tokens. This CVE affects Hono prior to version 4.11.4. The vulnerability is f...
CVE-2026-22818 JWT algorithm confusion in Hono JWK Auth Middleware when JWK lacks "alg" (untrusted header.alg fallback)
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the algorithm specified in the JWT header to influence signature verification when the selected JWK did not explicitly defi...
CVE-2026-22818 JWT algorithm confusion in Hono JWK Auth Middleware when JWK lacks "alg" (untrusted header.alg fallback)
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the algorithm specified in the JWT header to influence signature verification when the selected JWK did not explicitly defi...
CVE-2026-22818 JWT algorithm confusion in Hono JWK Auth Middleware when JWK lacks "alg" (untrusted header.alg fallback)
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the algorithm specified in the JWT header to influence signature verification when the selected JWK did not explicitly defi...
CVE-2025-68925 Jervis has a JWT Algorithm Confusion Vulnerability
Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, the code doesn't validate that the JWT header specifies "alg":"RS256". This vulnerability is fixed in 2.2...
EUVD-2026-2023
Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, the code doesn't validate that the JWT header specifies "alg":"RS256". This vulnerability is fixed in 2.2...
CVE-2025-68925 Jervis has a JWT Algorithm Confusion Vulnerability
Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, the code doesn't validate that the JWT header specifies "alg":"RS256". This vulnerability is fixed in 2.2...
CVE-2025-68925 Jervis has a JWT Algorithm Confusion Vulnerability
Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, the code doesn't validate that the JWT header specifies "alg":"RS256". This vulnerability is fixed in 2.2...
PT-2026-2798
Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.11.4 Description Hono is a Web application framework supporting various JavaScript runtimes. A flaw exists in the JWT verification middleware when using JWK/JWKS, where the alg value in the JWT header could influence...
EUVD-2025-16666
Malicious code in bioql PyPI...
EUVD-2024-52316
Malicious code in bioql PyPI...
EUVD-2023-2883
Malicious code in bioql PyPI...
EUVD-2022-1387
Malicious code in bioql PyPI...
EUVD-2023-2944
Malicious code in bioql PyPI...
Linux Distros Unpatched Vulnerability : CVE-2025-48994
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared...
Algorithm Confusion
signxml is vulnerable to an Algorithm Confusion. The vulnerability is due to Improper enforcement of signature algorithm restrictions are not properly enforced when hmackey is set and requirex509 is disabled, allowing an attacker to bypass verification by using a different signing algorithm inste...
SignXML's signature verification with HMAC is vulnerable to an algorithm confusion attack
When verifying signatures with X509 certificate validation turned off and HMAC shared secret set signxml.XMLVerifier.verifyrequirex509=False, hmackey=..., prior versions of SignXML are vulnerable to a potential algorithm confusion attack. Unless the user explicitly limits the expected signature...
GHSA-6VX8-PCWV-XHF4 SignXML's signature verification with HMAC is vulnerable to an algorithm confusion attack
When verifying signatures with X509 certificate validation turned off and HMAC shared secret set signxml.XMLVerifier.verifyrequirex509=False, hmackey=..., prior versions of SignXML are vulnerable to a potential algorithm confusion attack. Unless the user explicitly limits the expected signature...
DEBIAN-CVE-2025-48994
SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared secret set signxml.XMLVerifier.verifyrequirex509=False, hmackey=..., versions of SignXML prior to 4.0.4 are vulnerable to a potential...
CVE-2025-48994
SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared secret set signxml.XMLVerifier.verifyrequirex509=False, hmackey=..., versions of SignXML prior to 4.0.4 are vulnerable to a potential...