Lucene search
K

7 matches found

Snyk
Snyk
added 2026/05/20 3:35 p.m.9 views

Improper Verification of Cryptographic Signature

Overview symfony/security-http is a provides an infrastructure for sophisticated authorization systems, which makes it possible to easily separate the actual authorization logic from so called user providers that hold the users credentials. Affected versions of this package are vulnerable to...

9.3CVSS5.8AI score0.0005EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/13 3:2 p.m.10 views

CVE-2026-44459

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim values to silently bypass time-based checks. This issue is not...

3.8CVSS5.8AI score0.00216EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/05/13 3:2 p.m.28 views

CVE-2026-44459

CVE-2026-44459 (Hono) concerns improper validation of JWT NumericDate claims (exp, nbf, iat) in hono/utils/jwt prior to 4.12.18. The vulnerability allows tokens with non-spec-compliant claim values to silently bypass time-based checks when verify() processes malformed claims (not exploitable by a...

3.8CVSS5.8AI score0.00216EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2026/05/07 9:34 p.m.5 views

GHSA-FPW6-HRG5-Q5X5 ech0's acess tokens with expiry=never cannot be revoked: logout panics, delete does not blacklist JTI

Summary Access tokens created with the "never expire" option have no exp JWT claim. Three independent revocation mechanisms fail for this token type. Logout at internal/handler/auth/auth.go:154 and :163 dereferences claims.ExpiresAt.Time, panicking on the nil field so the token never hits the...

7.4CVSS5.8AI score
Exploits0References3
Vulnrichment
Vulnrichment
added 2025/04/29 8:43 p.m.8 views

CVE-2025-46344 Auth0 NextJS SDK v4 Missing Session Invalidation

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions starting from 4.0.1 and prior to 4.5.1, do not invoke .setExpirationTime when generating a JWE token for the session. As a result, the JWE does not contain an internal expiration claim. While...

7.1CVSS6.7AI score0.00375EPSS
Exploits0References3
Friends Of PHP
Friends Of PHP
added 1970/01/01 12:0 a.m.7 views

CVE-2026-45069: OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims

More info at https://symfony.com/cve-2026-45069...

5.8AI score0.0005EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 1970/01/01 12:0 a.m.7 views

CVE-2026-45069: OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims

More info at https://symfony.com/cve-2026-45069...

5.8AI score0.0005EPSS
Exploits0Affected Software1
Rows per page
Query Builder