CVE-2026-35039

fast-jwt provides fast JSON Web Token JWT implementation. From 0.0.1 to before 6.2.0, setting up a custom cacheKeyBuilder method which does not properly create unique keys for different tokens can lead to cache collisions. This could cause tokens to be mis-identified during the verification proce...

Improper Validation of Unsafe Equivalence in Input

Overview fast-jwt is a Fast JSON Web Token implementation Affected versions of this package are vulnerable to Improper Validation of Unsafe Equivalence in Input in the cacheKeyBuilder function when custom implementations do not generate unique keys for different tokens, leading to cache collision...

CVE-2026-2836

A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache key construction. The issue occurs because the default HTTP cache key implementation generates cache keys using only the URI path, excluding critical factors such as the host header authority...

Duplicate Advisory: Cache poisoning via insecure-by-default cache key

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-f93w-pcj3-rggc. This link is maintained to preserve external references. Original Description A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache key construction...