python-pyjwt: PyJWT: Authentication bypass due to forged JSON Web Tokens

A flaw was found in PyJWT, a Python library for JSON Web Token JWT implementation. When decoding JWTs, the library fails to validate the use of JSON Web Keys JWK in the HMAC algorithm while also supporting asymmetric algorithms. This allows a remote attacker to use the issuer's public key as the...

kernel: Linux kernel: smb: client: reject userspace cifs.spnego descriptions

A privilege escalation vulnerability was found in the Linux kernel's CIFS client implementation. This could allow a local attacker to impersonate other users, bypass authentication in SMB mount operations, and potentially gain unauthorized access to network file shares or escalate privileges...

PT-2026-49590

Name of the Vulnerable Software and Affected Versions AIOHTTP versions prior to 3.14.1 Description DigestAuthMiddleware can send an authentication response after following a cross-origin redirect. If a client follows a redirect to an attacker-controlled domain, the attacker may be able to extract...

PT-2026-49463

Unauthenticated Broken Authentication in Masteriyo - LMS = 2.1.8 versions...

PT-2026-49440

Unauthenticated Broken Authentication in CloudSecure WP Security = 1.4.7 versions...

PT-2026-49437

Subscriber Broken Authentication in WP Full Stripe Free = 8.4.1 versions...

PT-2026-49202

Name of the Vulnerable Software and Affected Versions ash authentication versions 0.1.0 through 4.13.x ash authentication versions 5.0.0-rc.0 through 5.0.0-rc.9 Description An authentication bypass by spoofing allows account takeover of local users during OAuth2 or OIDC sign-in. The issue occurs...

PT-2026-49575

Name of the Vulnerable Software and Affected Versions launch-editor versions prior to 2.14.1 Description The launch-editor NPM package allows the access of arbitrary paths, including Windows UNC Universal Naming Convention paths. On Windows systems, accessing a UNC path triggers an automatic NTLM...

PT-2026-49512

Unauthenticated Broken Authentication in RegistrationMagic = 6.0.8.6 versions...

PT-2026-49424

Subscriber Broken Authentication in AutomatorWP = 5.6.7 versions...

PT-2026-49459

Unauthenticated Broken Authentication in Email Marketing for WooCommerce by Omnisend = 1.18.0 versions...

PT-2026-49510

Unauthenticated Broken Authentication in Upsell Order Bump Offer for WooCommerce = 3.1.4 versions...

RHEL 10 : fence-agents (RHSA-2026:25902)

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2026:25902 advisory. The fence-agents packages provide a collection of scripts for handling remote power management for cluster devices. They allow failed or unreachabl...

CVE-2026-38329

Bludit CMS before version 3.18.4 allows Remote Code Execution RCE via the API Plugin. The POST /api/files/key endpoint in bl-plugins/api/plugin.php fails to perform authorization checks and lacks file extension validation. An attacker with a valid API token can upload a malicious PHP script and...

CVE-2026-45389

In OCaml-TLS before 2.1.0, the server implementation does insufficient checks of the certificate provided by the client when doing client authentication, which allows impersonation with certificates that are not meant for client authentication because of KeyUsage and ExtendedKeyUsage...

PT-2026-49470

Name of the Vulnerable Software and Affected Versions MultiJuicer versions 8.0.0 through 10.0.0 Description The team join endpoint 'POST /multi-juicer/api/teams/team/join' accepts requests with any Content-Type, including text/plain. Since this content type does not trigger a Cross-Origin Resourc...

CVE-2026-45389

In OCaml-TLS before 2.1.0, the server implementation does insufficient checks of the certificate provided by the client when doing client authentication, which allows impersonation with certificates that are not meant for client authentication because of KeyUsage and ExtendedKeyUsage...

PT-2026-49496

Name of the Vulnerable Software and Affected Versions Really Simple SSL versions prior to 9.5.11 Description Broken authentication allows unauthenticated users to bypass security controls. Recommendations Update to version 9.5.11 or later...

PT-2026-49595

Name of the Vulnerable Software and Affected Versions @nestjs/platform-fastify versions prior to 11.1.24 Description An authentication bypass exists in the Fastify adapter when middleware is registered through the MiddlewareConsumer.forRoutes API. An unauthenticated client can bypass registered...

PT-2026-49373

Subscriber Broken Authentication in FunnelKit Automations = 3.7.3 versions...