Unity Linux 20.1060e / 20.1070e Security Update: ganglia (UTSA-2026-016666)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016666 advisory. ganglia-web aka Ganglia Web Frontend through 3.7.5 allows XSS via the header.php ce parameter. Tenable has extracted the preceding description block directly from th...

Debian dsa-6259 : python-jwt-doc - security update

The remote Debian 12 / 13 host has packages installed that are affected by a vulnerability as referenced in the dsa-6259 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6259-1 [email protected] https://www.debian.org/security/...

TOTOLINK WA300 缓冲区错误漏洞

TOTOLINK WA300 is a wireless access point produced by TOTOLINK, a Chinese company. The TOTOLINK WA300 5.2cu.7112B20190227 version contains a buffer overflow vulnerability. This vulnerability stems from the operation of the loginauth function in the POST Request Handler component’s file...

pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)

A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This...

EUVD-2026-23840

A security vulnerability has been detected in rowboatlabs rowboat up to 0.1.67. This impacts the function toolcall of the file apps/experimental/toolswebhook/app.py of the component toolswebhook. Such manipulation of the argument X-Tools-JWE leads to improper authentication. The attack may be...

CVE-2026-35042

fast-jwt provides fast JSON Web Token JWT implementation. In 6.1.0 and earlier, fast-jwt does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that fast-jwt does not understand, the library accepts the token...

CVE-2026-35042

fast-jwt provides fast JSON Web Token JWT implementation. In 6.1.0 and earlier, fast-jwt does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that fast-jwt does not understand, the library accepts the token...

GHSA-HM7R-C7QW-GHP6 fast-jwt accepts unknown `crit` header extensions (RFC 7515 violation)

Summary fast-jwt does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that fast-jwt does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. ---...

CVE-2026-34817

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting XSS via the ADDRESS BCC parameter to /cgi-bin/smtprouting.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page...

USN-8133-1: PyJWT vulnerability

It was discovered that PyJWT did not validate the critical header parameter, contrary to the RFC specification expectations. A remote attacker could possibly use this issue to bypass certain authentication checks and restrictions...

Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`

Summary The @astrojs/vercel serverless entrypoint reads the x-astro-path header and xastropath query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass Vercel's platform-level path restrictions entirel...

SUSE-SU-2026:20879-1 Security update for python-PyJWT

This update for python-PyJWT fixes the following issues: Update to PyJWT 2.12.1: - CVE-2024-53861: prevent partial matching of the Issuer field bsc1234038. - CVE-2026-32597: validate the crit Header Parameter defined in RFC 7515 bsc1259616. Changelog: Update to 2.12.1: - Add missing...

SUSE-SU-2026:20869-1 Security update for python-PyJWT

This update for python-PyJWT fixes the following issue: - CVE-2026-32597: validate the crit Header Parameter defined in RFC 7515 bsc1259616...

PYSEC-2026-120

PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting...

Linux Distros Unpatched Vulnerability : CVE-2026-32597

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 4.1.11. When...

CVE-2026-32597

A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This...

PT-2026-24718

Name of the Vulnerable Software and Affected Versions Traefik versions prior to 3.6.10 Description Traefik is an HTTP reverse proxy and load balancer. A tenant with write access to an HTTPRoute resource can inject rule tokens into Traefik’s router rule language through unsanitized header or query...

Ubuntu 22.04 LTS / 24.04 LTS : Authlib vulnerabilities (USN-8065-1)

The remote Ubuntu 22.04 LTS / 24.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-8065-1 advisory. Millie Solem discovered that Authlib did not properly restrict algorithm selection during JWT verification, allowing HMAC verification with...

PT-2026-25090

Name of the Vulnerable Software and Affected Versions PyJWT versions prior to 2.12.0 Description PyJWT is a Python implementation for handling JSON Web Tokens JWT. Before version 2.12.0, the library did not properly validate the 'crit' Critical Header Parameter as defined in RFC 7515 §4.1.11...

CVE-2025-67726 Tornado is Vulnerable to Quadratic DoS via Crafted Multipart Parameters

Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algorithm when parsing parameters for HTTP header values, potentially causing a DoS. The parseparam function in httputil.py is used to parse specific HTTP header values, such as thos...