57 matches found
ROOT-APP-PYPI-CVE-2026-27932 CVE-2026-27932 in rootio-joserfc - Patched by Root
Root has patched CVE-2026-27932 in the rootio-joserfc package for Root:PyPI. Multiple fixed versions available...
ROOT-APP-PYPI-CVE-2026-49852 CVE-2026-49852 in rootio-joserfc - Patched by Root
Root has patched CVE-2026-49852 in the rootio-joserfc package for Root:PyPI. Multiple fixed versions available...
OPENSUSE-SU-2026:11183-1 python313-joserfc-1.7.2-2.1 on GA media
These are all security issues fixed in the python313-joserfc-1.7.2-2.1 package on the GA media of openSUSE Tumbleweed...
CVE-2026-49852
creationtimestamp| type| source ---|---|--- 2026-07-02 20:35:04+00:00| published-proof-of-concept| https://github.com/authlib/joserfc/security/advisories/GHSA-gg9x-qcx2-xmrh...
GHSA-GG9X-QCX2-XMRH joserfc: HS256/HS384/HS512 verify accepts empty/nil HMAC key (cross-language sibling of CVE-2026-45363)
Summary joserfc.jwt.decode accepts attacker-forged HMAC-signed tokens when the caller-supplied verification key is the empty string or None. HMACAlgorithm.sign and HMACAlgorithm.verify in src/joserfc/rfc7518/jwsalgs.py:62-70 feed whatever OctKey.getopkey... produced into hmac.new..., and...
PT-2026-55459
Name of the Vulnerable Software and Affected Versions joserfc versions 1.6.7 and earlier Description An authentication bypass exists when the verification key provided to joserfc.jwt.decode is an empty string or None. This occurs because the HMACAlgorithm.verify and HMACAlgorithm.sign functions...
EUVD-2026-37805
joserfc: b64=false RFC7797 JWS payloads bypass JWSRegistry payload-size limits during deserialization...
GHSA-WPHV-VFRH-23Q5 joserfc: b64=false RFC7797 JWS payloads bypass JWSRegistry payload-size limits during deserialization
RFC7797 b64=false JWS payloads bypass JWSRegistry payload-size limits during deserialization Summary Testing revealed that joserfc accepts oversized RFC7797 b64=false JWS payloads without applying JWSRegistry.maxpayloadlength. The normal JWS compact and flattened JSON paths reject payloads above...
Linux Distros Unpatched Vulnerability : CVE-2026-48990
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption JOSE standards. In versions 1.3.4 through 1.6.5, joser...
OPENSUSE-SU-2026:11067-1 python311-joserfc-1.7.1-1.1 on GA media
These are all security issues fixed in the python311-joserfc-1.7.1-1.1 package on the GA media of openSUSE Tumbleweed...
CVE-2026-48990
A flaw was found in joserfc, a Python library for JSON Object Signing and Encryption JOSE. This vulnerability allows a remote attacker to cause resource exhaustion, leading to a Denial of Service DoS, by sending oversized JSON Web Signature JWS payloads. The library fails to apply size limits,...
CVE-2026-48990
joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption JOSE standards. In versions 1.3.4 through 1.6.5, joserfc accepts oversized RFC7797 b64=false JWS payloads without applying JWSRegistry.maxpayloadlength, which can lead to resource exhaustion...
DEBIAN-CVE-2026-48990
joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption JOSE standards. In versions 1.3.4 through 1.6.5, joserfc accepts oversized RFC7797 b64=false JWS payloads without applying JWSRegistry.maxpayloadlength, which can lead to resource exhaustion...
UBUNTU-CVE-2026-48990
joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption JOSE standards. In versions 1.3.4 through 1.6.5, joserfc accepts oversized RFC7797 b64=false JWS payloads without applying JWSRegistry.maxpayloadlength, which can lead to resource exhaustion...
CVE-2026-48990
joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption JOSE standards. In versions 1.3.4 through 1.6.5, joserfc accepts oversized RFC7797 b64=false JWS payloads without applying JWSRegistry.maxpayloadlength, which can lead to resource exhaustion...
CVE-2026-48990
In joserfc (Python), CVE-2026-48990 affects versions 1.3.4–1.6.5 where oversized RFC7797 b64=false JWS payloads bypass JWSRegistry.max_payload_length during deserialization, enabling potential resource exhaustion. The standard JWS compact/flattened paths enforce the payload limit via ExceededSize...
CVE-2026-48990 joserfc: b64=false RFC7797 JWS payloads bypass JWSRegistry payload-size limits during deserialization
joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption JOSE standards. In versions 1.3.4 through 1.6.5, joserfc accepts oversized RFC7797 b64=false JWS payloads without applying JWSRegistry.maxpayloadlength, which can lead to resource exhaustion...
CVE-2026-48990 joserfc: b64=false RFC7797 JWS payloads bypass JWSRegistry payload-size limits during deserialization
joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption JOSE standards. In versions 1.3.4 through 1.6.5, joserfc accepts oversized RFC7797 b64=false JWS payloads without applying JWSRegistry.maxpayloadlength, which can lead to resource exhaustion...
openSUSE 16 Security Update : python-joserfc (openSUSE-SU-2026:20322-1)
The remote openSUSE 16 host has a package installed that is affected by a vulnerability as referenced in the openSUSE- SU-2026:20322-1 advisory. Changes in python-joserfc: - CVE-2026-27932: unbounded PBKDF2 iteration count can lead to a denial of service bsc1259154 Tenable has extracted the...
python311-joserfc-1.6.3-1.1 on GA media (moderate)
python311-joserfc-1.6.3-1.1 on GA media Announcement ID: openSUSE-SU-2026:10293-1 Rating: moderate Cross-References: CVE-2026-27932 Affected Products: openSUSE Tumbleweed An update that solves one vulnerability can now be installed. Description: These are all security issues fixed in the...