3 matches found
SUSE CVE-2026-48523
PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode or jwt.decodecomplete are called with a PyJWK key. The token header alg is checked against the caller-supplied algorithms allow-list, but signature...
UBUNTU-CVE-2026-48526
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the...
CVE-2024-29200 API returns timesheet entries a user should not be authorized to view
Kimai is a web-based multi-user time-tracking application. The permission viewothertimesheet performs differently for the Kimai UI and the API, thus returning unexpected data through the API. When setting the viewothertimesheet permission to true, on the frontend, users can only see timesheet...