CVE-2026-3224

Authentication bypass in the Microsoft Entra ID Azure AD authentication mode in Devolutions Server 2025.3.15.0 and earlier allows an unauthenticated user to authenticate as an arbitrary Entra ID user via a forged JSON Web Token JWT...

GO-2023-1283 KubePi allows malicious actor to login with a forged JWT token via Hardcoded Jwtsigkeys in github.com/KubeOperator/kubepi

KubePi allows malicious actor to login with a forged JWT token via Hardcoded Jwtsigkeys in github.com/KubeOperator/kubepi...

light-oauth2 Trust Management Issue Vulnerability

light-oauth2 is networknt open source a light-4j based fast , lightweight cloud-native OAuth 2.0 authorization microservice . light-oauth2 version 2.1.27 before the existence of a security vulnerability , the vulnerability stems from obtaining the public key without any validation , allowing an...

SUSE CVE-2017-11424

In PyJWT 1.5.0 and below the invalidstrings check in HMACAlgorithm.preparekey does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string -----BEGIN RSA PUBLIC KEY----- which is not accounted for. This enable...

KubePi allows malicious actor to login with a forged JWT token via Hardcoded Jwtsigkeys

Summary The jwt authentication function of kubepi = v1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker can forge any jwt token to take over the administrator account of any online project. Details session.go, the use of...