Lucene search
+L

150 matches found

OSV
OSV
added 3 days ago4 views

CVE-2026-46684 DataEase: Unauthorized Command Execution Vulnerability

DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase enterprise token handling can let TokenFilterdoFilter pass X-DE-TOKEN values to TokenUtils.validate, which checks only token presence and length before userBOByTokentoken uses JWT.decode without signature...

9.5CVSS6.1AI score0.00193EPSS
Exploits0References5
Cvelist
Cvelist
added 4 days ago39 views

CVE-2026-45363 `jwt` (Ruby gem) - empty-key HMAC bypass

ruby-jwt is a Ruby implementation of the RFC 7519 OAuth JSON Web Token standard. Prior to 2.10.3 and 3.2.0, JWT.decodetoken, '', true, algorithm: 'HS256' accepts an attacker-forged token because OpenSSL::HMAC.digest'SHA256', '', payload returns a valid digest under an empty key and no empty-key...

9.1CVSS0.00242EPSS
Exploits0References5
OSV
OSV
added 4 days ago4 views

CVE-2026-45363 `jwt` (Ruby gem) - empty-key HMAC bypass

ruby-jwt is a Ruby implementation of the RFC 7519 OAuth JSON Web Token standard. Prior to 2.10.3 and 3.2.0, JWT.decodetoken, '', true, algorithm: 'HS256' accepts an attacker-forged token because OpenSSL::HMAC.digest'SHA256', '', payload returns a valid digest under an empty key and no empty-key...

9.1CVSS6.9AI score0.00242EPSS
Exploits0References7
Cvelist
Cvelist
added 2026/07/07 8:33 p.m.34 views

CVE-2026-57172 DataEase: Hardcoded JWT Signing Secret in ShareLink

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, ShareSecretManage uses a hardcoded default share link signature key, allowing an attacker who can obtain a passwordless share for a resource and user to use the known key link-pwd-fit2cloud to forge linkToken JWTs,...

8.3CVSS0.00289EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/07/07 8:33 p.m.6 views

CVE-2026-57172

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, ShareSecretManage uses a hardcoded default share link signature key, allowing an attacker who can obtain a passwordless share for a resource and user to use the known key link-pwd-fit2cloud to forge linkToken JWTs,...

8.3CVSS5.9AI score0.00289EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/07/07 8:33 p.m.6 views

CVE-2026-57172 DataEase: Hardcoded JWT Signing Secret in ShareLink

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, ShareSecretManage uses a hardcoded default share link signature key, allowing an attacker who can obtain a passwordless share for a resource and user to use the known key link-pwd-fit2cloud to forge linkToken JWTs,...

8.3CVSS5.9AI score0.00289EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2026/07/06 5:37 a.m.8 views

Important: Red Hat Security Advisory: fence-agents security update

An update for fence-agents is now available for Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, i...

7.4CVSS6AI score0.00394EPSS
Exploits1References2
RedHat Linux
RedHat Linux
added 2026/07/06 5:32 a.m.7 views

python-pyjwt: PyJWT: Authentication bypass due to forged JSON Web Tokens

A flaw was found in PyJWT, a Python library for JSON Web Token JWT implementation. When decoding JWTs, the library fails to validate the use of JSON Web Keys JWK in the HMAC algorithm while also supporting asymmetric algorithms. This allows a remote attacker to use the issuer's public key as the...

7.4CVSS5.9AI score0.00394EPSS
Exploits1References5
RedHat Linux
RedHat Linux
added 2026/07/06 5:8 a.m.8 views

python-pyjwt: PyJWT: Authentication bypass due to forged JSON Web Tokens

A flaw was found in PyJWT, a Python library for JSON Web Token JWT implementation. When decoding JWTs, the library fails to validate the use of JSON Web Keys JWK in the HMAC algorithm while also supporting asymmetric algorithms. This allows a remote attacker to use the issuer's public key as the...

7.4CVSS5.9AI score0.00394EPSS
Exploits1References5
RedHat Linux
RedHat Linux
added 2026/07/06 3:54 a.m.6 views

python-pyjwt: PyJWT: Authentication bypass due to forged JSON Web Tokens

A flaw was found in PyJWT, a Python library for JSON Web Token JWT implementation. When decoding JWTs, the library fails to validate the use of JSON Web Keys JWK in the HMAC algorithm while also supporting asymmetric algorithms. This allows a remote attacker to use the issuer's public key as the...

7.4CVSS5.9AI score0.00394EPSS
Exploits1References5
Snyk
Snyk
added 2026/07/02 7:12 p.m.5 views

Inadequate Encryption Strength

Overview Affected versions of this package are vulnerable to Inadequate Encryption Strength in the verify process. An attacker can gain unauthorized access and forge arbitrary claims by submitting tokens signed with an empty or null key, which are incorrectly accepted as valid signatures. This is...

8.7CVSS6.1AI score
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/07/02 8:29 a.m.9 views

CVE-2026-14336

PIA's OIDC issuer allowlist for Jenkins tokens uses a bare string-prefix check issuer.startswith' https://ci.eclipse.org ' in isissuerknown, pia/models.py:139 instead of validating the issuer as a properly host-bounded URL. An attacker can craft an issuer such as https://[email protected]...

8.2CVSS6AI score0.00321EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.16 views

PT-2026-55459

Name of the Vulnerable Software and Affected Versions joserfc versions 1.6.7 and earlier Description An authentication bypass exists when the verification key provided to joserfc.jwt.decode is an empty string or None. This occurs because the HMACAlgorithm.verify and HMACAlgorithm.sign functions...

8.7CVSS6AI score
Exploits0References15
RedHat Linux
RedHat Linux
added 2026/07/01 5:32 p.m.5 views

python-pyjwt: PyJWT: Authentication bypass due to forged JSON Web Tokens

A flaw was found in PyJWT, a Python library for JSON Web Token JWT implementation. When decoding JWTs, the library fails to validate the use of JSON Web Keys JWK in the HMAC algorithm while also supporting asymmetric algorithms. This allows a remote attacker to use the issuer's public key as the...

7.4CVSS5.8AI score0.00394EPSS
Exploits1References5
CISA KEV Catalog
CISA KEV Catalog
added 2026/06/29 12:0 a.m.12 views

SimpleHelp Authentication Bypass Vulnerability

SimpleHelp contains an authentication bypass vulnerability in the OIDC authentication flow. When OIDC authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature. In a vulnerable configuration, a remote, unauthenticated attacke...

10CVSS5.9AI score0.0116EPSS
In wildExploits1
Tenable Nessus
Tenable Nessus
added 2026/06/26 12:0 a.m.14 views

SUSE SLES16 Security Update : python-PyJWT (SUSE-SU-2026:22170-1)

The remote SUSE Linux SLES16 / SLESSAP16 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:22170-1 advisory. This update for python-PyJWT fixes the following issues - CVE-2026-48522: PyJWKClient passes URI arguments directly to...

7.4CVSS5.8AI score0.00394EPSS
Exploits4References16
OSV
OSV
added 2026/06/25 8:13 a.m.2 views

SUSE-SU-2026:2627-1 Security update for python-PyJWT

This update for python-PyJWT fixes the following issues - CVE-2026-48522: PyJWKClient passes URI arguments directly to urllib.request.urlopen and allows for SSRF and token forgery bsc1266798. - CVE-2026-48523: verifier-side algorithm allow-list bypass when jwt.decode or jwt.decodecomplete are...

7.4CVSS5.8AI score0.00394EPSS
Exploits4References9
OSV
OSV
added 2026/06/19 5:43 a.m.3 views

OPENSUSE-SU-2026:21095-1 Security update for python-PyJWT

This update for python-PyJWT fixes the following issues - CVE-2026-48522: PyJWKClient passes URI arguments directly to urllib.request.urlopen and allows for SSRF and token forgery bsc1266798. - CVE-2026-48523: verifier-side algorithm allow-list bypass when jwt.decode or jwt.decodecomplete are...

7.4CVSS5.7AI score0.00394EPSS
Exploits4References10
OSV
OSV
added 2026/06/17 12:3 p.m.7 views

RLSA-2026:26206 Important: fence-agents security update

The fence-agents packages provide a collection of scripts for handling remote power management for cluster devices. They allow failed or unreachable nodes to be forcibly restarted and removed from the cluster. Security Fixes: python-pyjwt: PyJWT: Authentication bypass due to forged JSON Web Token...

7.4CVSS5.3AI score0.00394EPSS
Exploits1References2
Rockylinux
Rockylinux
added 2026/06/17 12:3 p.m.25 views

fence-agents security update

An update is available for fence-agents. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list The fence-agents packages provide a collection of scripts for handling...

7.4CVSS5.4AI score0.00394EPSS
Exploits1
Rows per page
Query Builder