RockyLinux 10 : opentelemetry-collector (RLSA-2026:19135)

The remote RockyLinux 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the RLSA-2026:19135 advisory. net/url: Incorrect parsing of IPv6 host literals in net/url CVE-2026-25679 google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go:...

ALSA-2026:19135 Important: opentelemetry-collector security update

Collector with the supported components for a AlmaLinux build of OpenTelemetry Security Fixes: net/url: Incorrect parsing of IPv6 host literals in net/url CVE-2026-25679 google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path...

Important: Red Hat Security Advisory: podman security update

An update for podman is now available for Red Hat Enterprise Linux 10.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for...

CVE-2026-34240

Summary : CVE-2026-34240 affects the JOSE JavaScript library. Prior to 0.3.5+1, an unauthenticated, remote attacker could forge valid JWS/JWT tokens by embedding an attacker-controlled public key in the JOSE header (jwk) and exploiting header-provided keys as verification candidates even if not p...

CVE-2026-34240

JOSE is a Javascript Object Signing and Encryption JOSE library. Prior to version 0.3.5+1, a vulnerability in jose could allow an unauthenticated, remote attacker to forge valid JWS/JWT tokens by using a key embedded in the JOSE header jwk. The vulnerability exists because key selection could tre...

CVE-2026-34240 jose vulnerable to untrusted JWK header key acceptance during signature verification

JOSE is a Javascript Object Signing and Encryption JOSE library. Prior to version 0.3.5+1, a vulnerability in jose could allow an unauthenticated, remote attacker to forge valid JWS/JWT tokens by using a key embedded in the JOSE header jwk. The vulnerability exists because key selection could tre...

CVE-2026-34240 jose vulnerable to untrusted JWK header key acceptance during signature verification

JOSE is a Javascript Object Signing and Encryption JOSE library. Prior to version 0.3.5+1, a vulnerability in jose could allow an unauthenticated, remote attacker to forge valid JWS/JWT tokens by using a key embedded in the JOSE header jwk. The vulnerability exists because key selection could tre...

MiracleLinux 9 : podman-5.4.0-9.el9_6 (AXSA:2025-10548:06)

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2025-10548:06 advisory. go-jose: Go JOSE's Parsing Vulnerable to Denial of Service CVE-2025-27144 golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in jose-4.15.9.tgz

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in jose-4.15.9.tgz Vulnerability Details CVEID:CVE-2025-45767 DESCRIPTION: jose v6.0.10 was discovered to contain weak encryption. NOTE: this is disputed by a third party because the claim of "do not me...

RLSA-2025:7391 Important: podman security update

The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes. Security Fixes: go-jose: Go JOSE's Parsing Vulnerable to Denial of Service CVE-2025-27144...

Weak Encryption

jose is vulnerable to weak encryption. The vulnerability is due to encryption algorithms that are claimed to not meet recommended security standards, which allows an attacker to potentially bypass intended cryptographic strength...

CVE-2025-45767

jose v6.0.10 was discovered to contain weak encryption. NOTE: this is disputed by a third party because the claim of "do not meet recommended security standards" does not reflect guidance in a final publication...

SUSE CVE-2024-28176

jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens JWT, JSON Web Signature JWS, JSON Web Encryption JWE, JSON Web Key JWK, JSON Web Key Set JWKS, and more. A vulnerability has been identified in the JSON Web Encryption JWE decryption interfaces...

jose Security Vulnerabilities

jose is a JavaScript module for signing and encrypting JSON objects. A security vulnerability exists in latchset jose 11 and earlier versions that could allow an attacker to cause a denial of service via a large p2c value...

jose Security Vulnerabilities

jose is a JavaScript module for signing and encrypting JSON objects. A security vulnerability exists in jose 1.11.6 and earlier versions that could allow an attacker to cause a denial of service via the PBES2 Count value in the JOSE header...

jose Security Vulnerabilities

jose is a JavaScript module for signing and encrypting JSON objects. A security vulnerability exists in jose versions prior to 4.0.1, 3.0.3, and 2.6.3, which allows an attacker to send JWEs containing compressed data that uses a large amount of memory and CPU when decompressed via Decrypt or...

@10duke/event-data-reader-cli (=1.0.0), @adonisjs/auth (>=4.0.0 <=4.0.1) +524 more potentially affected by CVE-2024-28176 via jose (>=0.3.2 <=2.0.5)

jose NPM version =0.3.2, =4.0.0, =0.4.0-next.10, =0.13.0, =1.6.0, =1.2.3, =1.6.11, =1.10.0, =1.0.0, =0.7.0, =0.1.1, =0.2.0, =0.2.33 - @arianee/arianee-server =0.0.1-beta and more Source cves: CVE-2024-28176 Source advisory: OSV:GHSA-HHHV-Q57G-882Q...

@dci-lint/cmd-api-server (>=0.3.0 <=0.4.0), @dci-lint/test-api-client (>=0.3.0 <=0.4.0) +46 more potentially affected by CVE-2022-36083 via jose (>=1.18.1 <=1.28.1)

jose NPM version =1.18.1, =0.3.0, =0.3.0, =0.3.0, =0.10.0-unstable.2b529f0, =0.6.1, =0.6.3, =0.6.3, =0.6.4, =0.6.3, =0.6.9, =0.6.1, =0.6.3, =0.6.3, =0.6.3, =0.6.5, =0.9.4 and more Source cves: CVE-2022-36083 Source advisory: OSV:GHSA-JV3G-J58F-9MQ9...

@decentralized-identity/ion-sdk (>=0.1.0 <=0.4.1), @tadashi/jwt (>=6.0.0 <=7.0.0) +21 more potentially affected by CVE-2022-36083 via jose (>=2.0.1 <=2.0.5)

jose NPM version =2.0.1, =0.1.0, =6.0.0, =3.0.4, =3.0.4, =3.0.5, =3.0.4, =3.0.5, =3.0.4, =3.0.6, =3.0.3, =3.0.5, =3.1.0, =2.3.2, =0.1.0, =1.2.4 and more Source cves: CVE-2022-36083 Source advisory: OSV:GHSA-JV3G-J58F-9MQ9...

0xble (=14.1.0), 10minions-engine (>=0.0.1 <=0.0.4) +7455 more potentially affected by CVE-2022-36083 via jose (>=4.0.3 <=4.9.1)

jose NPM version =4.0.3, =0.0.1, =1.0.0, =0.1.0, =1.0.22, =0.1.0, =0.1.1, =0.0.1, =0.4.0, =0.4.0, =1.0.2, =1.0.0, =0.0.1, =1.1.4, =1.1.24 and more Source cves: CVE-2022-36083 Source advisory: OSV:GHSA-JV3G-J58F-9MQ9...