Lucene search
K

1647 matches found

CVE
CVE
added 2026/06/21 1:0 a.m.24 views

CVE-2026-12771

CVE-2026-12771 affects the litellm library by BerriAI up to version 1.82.2, specifically in litellm/proxy/auth/user_api_key_auth.py (M2M JWT Handler). The flaw enables improper authorization via remote exploitation with high attack complexity; public PoC exists. SNYK detaails identify the vulnera...

7.5CVSS5.3AI score0.00288EPSS
Exploits1References5Affected Software1
Cvelist
Cvelist
added 2026/06/19 1:7 p.m.31 views

CVE-2026-39999 Apache APISIX: JWT Algorithm Confusion allows authentication bypass

Authentication Bypass by Spoofing vulnerability in Apache APISIX. The attacker can completely bypass authentication capitalising on certain configurations of jwt-auth plugin. This issue affects Apache APISIX: from v2.2 through v3.16.0. Users are recommended to upgrade to version v3.17.0, which...

7CVSS0.00386EPSS
Exploits0References1
CVE
CVE
added 2026/06/19 1:7 p.m.34 views

CVE-2026-39999

CVE-2026-39999 is an authentication bypass in Apache APISIX caused by misconfigurations in the jwt-auth plugin. Affected versions are 2.2 through 3.16.0; the issue allows bypassing authentication via spoofed tokens. The entry is resolved by upgrading to v3.17.0, which fixes the vulnerability. Rel...

9.1CVSS5.9AI score0.00386EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.15 views

PT-2026-50738

Name of the Vulnerable Software and Affected Versions ZITADEL versions 4.0.0 through 4.11.0 ZITADEL versions 3.0.0 through 3.4.11 Description An authentication bypass exists in the external JWT Identity Provider IdP implementation. While the system validates the cryptographic signature and the...

4.2CVSS5.9AI score
Exploits0References8
NVD
NVD
added 2026/06/17 11:17 p.m.16 views

CVE-2026-50202

Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Security.Authentication.CloudFoundryBase prior to version 3.4.0, Steeltoe.Security.Authentication.JwtBearer prior to version 4.2.0, and...

5.9CVSS0.0029EPSS
Exploits0References3
CVE
CVE
added 2026/06/17 9:53 p.m.25 views

CVE-2026-50202

Summary: CVE-2026-50202 affects Steeltoe libraries: Steeltoe.Security.Authentication.CloudFoundryBase < 3.4.0, Steeltoe.Security.Authentication.JwtBearer < 4.2.0, and Steeltoe.Security.Authentication.OpenIdConnect

5.9CVSS5.3AI score0.0029EPSS
Exploits0References3
NVD
NVD
added 2026/06/17 1:20 p.m.10 views

CVE-2026-48781

Postiz is an AI social media scheduling tool. In versions prior to 2.21.8, the Skool integration callback signed an attacker-controlled JSON blob into a session-shape JWT using the application's JWTSECRET, and the auth middleware trusted every claim in that JWT without re-resolving the user from...

9.9CVSS0.00209EPSS
Exploits0References4
Snyk
Snyk
added 2026/06/16 8:13 p.m.8 views

Use of Hard-coded Credentials

Overview Crawl4AI is a 🚀🤖 Crawl4AI: Open-source LLM Friendly Web Crawler & scraper Affected versions of this package are vulnerable to Use of Hard-coded Credentials via the outputpath parameter, which allows arbitrary filesystem paths without validation. An attacker can overwrite or create files ...

9.8CVSS6.1AI score0.00417EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/06/16 3:18 p.m.27 views

CVE-2026-53776 Perry < 0.5.1166 JWT Expiration Bypass via verify_decode

Perry before 0.5.1166 contains a JWT validation vulnerability that allows remote attackers to bypass token expiration by exploiting the unconditional setting of validateexp = false in the verifydecode helper within the stdlib JWT verification path. Attackers in possession of a previously issued...

9.3CVSS0.00357EPSS
Exploits0References3
CVE
CVE
added 2026/06/16 3:18 p.m.26 views

CVE-2026-53776

Perry before 0.5.1166 contains a JWT validation vulnerability in the verify_decode helper that sets validate_exp = false unconditionally, enabling token expiration bypass. Attackers with a previously issued bearer token can present expired tokens to jwt.verify() calls and retain access, undermini...

9.3CVSS5.4AI score0.00357EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/16 3:18 p.m.8 views

EUVD-2026-37126

Perry before 0.5.1166 contains a JWT validation vulnerability that allows remote attackers to bypass token expiration by exploiting the unconditional setting of validateexp = false in the verifydecode helper within the stdlib JWT verification path. Attackers in possession of a previously issued...

9.3CVSS5.4AI score0.00357EPSS
Exploits0References3
RedHat Linux
RedHat Linux
added 2026/06/16 12:16 p.m.9 views

python-pyjwt: PyJWT: Authentication bypass due to forged JSON Web Tokens

A flaw was found in PyJWT, a Python library for JSON Web Token JWT implementation. When decoding JWTs, the library fails to validate the use of JSON Web Keys JWK in the HMAC algorithm while also supporting asymmetric algorithms. This allows a remote attacker to use the issuer's public key as the...

7.4CVSS5.5AI score0.00394EPSS
Exploits1References5
OSV
OSV
added 2026/06/16 12:4 p.m.5 views

RLSA-2026:25902 Important: fence-agents security update

The fence-agents packages provide a collection of scripts for handling remote power management for cluster devices. They allow failed or unreachable nodes to be forcibly restarted and removed from the cluster. Security Fixes: python-pyjwt: PyJWT: Authentication bypass due to forged JSON Web Token...

7.4CVSS5.3AI score0.00394EPSS
Exploits1References2
OSV
OSV
added 2026/06/16 8:55 a.m.4 views

SUSE-SU-2026:22238-1 Security update for python-PyJWT

This update for python-PyJWT fixes the following issues - CVE-2026-48522: PyJWKClient passes URI arguments directly to urllib.request.urlopen and allows for SSRF and token forgery bsc1266798. - CVE-2026-48523: verifier-side algorithm allow-list bypass when jwt.decode or jwt.decodecomplete are...

7.4CVSS5.7AI score0.00394EPSS
Exploits4References11
NVD
NVD
added 2026/06/16 4:17 a.m.19 views

CVE-2026-6964

The Video Conferencing with Zoom plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.6.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to obtain...

5.3CVSS0.00323EPSS
Exploits0References8
EUVD
EUVD
added 2026/06/16 3:30 a.m.13 views

EUVD-2026-37031

The Video Conferencing with Zoom plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.6.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to obtain...

5.3CVSS5.3AI score0.00323EPSS
Exploits0References8
Vulnrichment
Vulnrichment
added 2026/06/16 3:30 a.m.7 views

CVE-2026-6964 Video Conferencing with Zoom <= 4.6.7 - Missing Authorization to Unauthenticated Zoom SDK Credential Exposure via 'get_auth' AJAX Action

The Video Conferencing with Zoom plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.6.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to obtain...

5.3CVSS5.3AI score0.00323EPSS
Exploits0References8
CVE
CVE
added 2026/06/16 3:30 a.m.15 views

CVE-2026-6964

The CVE-2026-6964 entry covers the WordPress plugin Video Conferencing with Zoom (versions up to 4.6.7). It states an authorization bypass in the get_auth AJAX action, allowing unauthenticated attackers to obtain the site’s Zoom SDK API key and a freshly-signed JWT usable with the Zoom Web SDK to...

5.3CVSS5.3AI score0.00323EPSS
Exploits0References8
Fedora
Fedora
added 2026/06/16 1:11 a.m.17 views

[SECURITY] Fedora 43 Update: perl-Mojo-JWT-1.02-1.fc43

JSON Web Token is described in https://tools.ietf.org/html/rfc7519. Mojo::JWT implements that standard with an API that should feel familiar to Mojolicious users though of course it is useful elsewhere. Indeed, JWT is much like Mojolicious::Sessions except that the result is a URL-safe text strin...

5.3AI score
Exploits0
Fedora
Fedora
added 2026/06/16 1:3 a.m.20 views

[SECURITY] Fedora 44 Update: perl-Mojo-JWT-1.02-1.fc44

JSON Web Token is described in https://tools.ietf.org/html/rfc7519. Mojo::JWT implements that standard with an API that should feel familiar to Mojolicious users though of course it is useful elsewhere. Indeed, JWT is much like Mojolicious::Sessions except that the result is a URL-safe text strin...

5.3AI score
Exploits0
Rows per page
Query Builder