Lucene search
K

52560 matches found

ATTACKERKB
ATTACKERKB
added 2026/05/28 3:10 p.m.9 views

CVE-2026-48523

PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode or jwt.decodecomplete are called with a PyJWK key. The token header alg is checked against the caller-supplied algorithms allow-list, but signature...

5.4CVSS5.8AI score0.00127EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/28 3:9 p.m.12 views

CVE-2026-48526 PyJWT: Public-key JWK accepted as HMAC secret enables forged HS256 tokens when mixed families are allowed

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the...

7.4CVSS5.8AI score0.00232EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/05/28 3:9 p.m.10 views

CVE-2026-48526

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the...

7.4CVSS5.8AI score0.00232EPSS
Exploits1References2Affected Software1
Debian CVE
Debian CVE
added 2026/05/28 3:9 p.m.9 views

CVE-2026-48526

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the...

7.4CVSS5.8AI score0.00232EPSS
Exploits1
NVD
NVD
added 2026/05/28 8:16 a.m.17 views

CVE-2026-9227

The GutenBee – Gutenberg Blocks plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.20.1 via the gutenbeefileandextjson function. This is due to a flawed strpos substring check that only verifies whether the filename contains the string '.json' rath...

8.8CVSS0.00659EPSS
Exploits0References9
Cvelist
Cvelist
added 2026/05/28 6:45 a.m.34 views

CVE-2026-9227 GutenBee <= 2.20.1 - Authenticated (Author+) Arbitrary File Upload via wp_check_filetype_and_ext Filter

The GutenBee – Gutenberg Blocks plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.20.1 via the gutenbeefileandextjson function. This is due to a flawed strpos substring check that only verifies whether the filename contains the string '.json' rath...

8.8CVSS0.00659EPSS
Exploits0References9
ATTACKERKB
ATTACKERKB
added 2026/05/28 6:45 a.m.9 views

CVE-2026-9227

The GutenBee – Gutenberg Blocks plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.20.1 via the gutenbeefileandextjson function. This is due to a flawed strpos substring check that only verifies whether the filename contains the string '.json' rath...

8.8CVSS6.4AI score0.00659EPSS
Exploits0References10
CVE
CVE
added 2026/05/28 6:45 a.m.16 views

CVE-2026-9227

The connected CVE entries confirm a vulnerability in GutenBee ≤ 2.20.1 (WordPress plugin): an Arbitrary File Upload via the function gutenbee_file_and_ext_json. The root cause is a flawed strpos() check that only tests for the presence of ".json" in the filename, not that it ends with a .json ext...

8.8CVSS6.4AI score0.00659EPSS
Exploits0References9
Vulnrichment
Vulnrichment
added 2026/05/28 6:45 a.m.7 views

CVE-2026-9227 GutenBee <= 2.20.1 - Authenticated (Author+) Arbitrary File Upload via wp_check_filetype_and_ext Filter

The GutenBee – Gutenberg Blocks plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.20.1 via the gutenbeefileandextjson function. This is due to a flawed strpos substring check that only verifies whether the filename contains the string '.json' rath...

8.8CVSS6.4AI score0.00659EPSS
Exploits0References9
NVD
NVD
added 2026/05/28 6:16 a.m.14 views

CVE-2026-9673

Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can inject formulas into CSV files, which execute when the files are opened in spreadsheet applications...

7CVSS0.00166EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/05/28 5:0 a.m.35 views

CVE-2026-9673

Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can inject formulas into CSV files, which execute when the files are opened in spreadsheet applications...

7CVSS0.00166EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/05/28 5:0 a.m.9 views

CVE-2026-9673

Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can inject formulas into CSV files, which execute when the files are opened in spreadsheet applications...

7CVSS5.9AI score0.00166EPSS
Exploits0References4
CVE
CVE
added 2026/05/28 5:0 a.m.26 views

CVE-2026-9673

CVE-2026-9673 affects json-2-csv versions 3.15.0 and earlier up to 5.5.11, vulnerable to CSV Injection via the preventCsvInjection option, which can be bypassed. An attacker can inject formulas into CSV files that execute when opened in spreadsheet apps. The SNYK entry describes a PoC and recomme...

7CVSS5.9AI score0.00166EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/05/28 5:0 a.m.10 views

CVE-2026-9673

Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can inject formulas into CSV files, which execute when the files are opened in spreadsheet applications...

7CVSS5.9AI score0.00166EPSS
Exploits0References5
CVE
CVE
added 2026/05/28 3:44 a.m.47 views

CVE-2026-9793

Keycloak vulnerability CVE-2026-9793: when a JSON Web Encryption (JWE) encrypted request object is submitted, Keycloak may incorrectly process unsigned claims if the decrypted content is raw JSON, bypassing the configured signature policy. This can lead to unauthorized claims and data integrity c...

7.5CVSS5.8AI score0.0012EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/05/28 3:44 a.m.31 views

CVE-2026-9793 Keycloak: keycloak: security policy bypass in jwe-encrypted request object processing

A flaw was found in Keycloak. When a JSON Web Encryption JWE encrypted request object is submitted, Keycloak may incorrectly process unsigned claims if the decrypted content is raw JSON, bypassing the configured signature policy. This allows a remote attacker to submit unauthorized claims, leadin...

5.9CVSS0.0012EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/28 3:44 a.m.12 views

CVE-2026-9793 Keycloak: keycloak: security policy bypass in jwe-encrypted request object processing

A flaw was found in Keycloak. When a JSON Web Encryption JWE encrypted request object is submitted, Keycloak may incorrectly process unsigned claims if the decrypted content is raw JSON, bypassing the configured signature policy. This allows a remote attacker to submit unauthorized claims, leadin...

5.9CVSS5.8AI score0.0012EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/05/28 3:44 a.m.18 views

CVE-2026-9793

A flaw was found in Keycloak. When a JSON Web Encryption JWE encrypted request object is submitted, Keycloak may incorrectly process unsigned claims if the decrypted content is raw JSON, bypassing the configured signature policy. This allows a remote attacker to submit unauthorized claims, leadin...

7.5CVSS5.7AI score0.0012EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/28 3:12 a.m.6 views

Improper Verification of Cryptographic Signature

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the requestObjectSignatureAlg policy bypass during the...

8.2CVSS5.4AI score0.0012EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/28 12:0 a.m.27 views

CVE-2026-42999

An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone RBAC policy enforcer in enforcecall unconditionally merges the raw JSON request body into the policy enforcement dictionary via policydict.updatejsoninput.copy, overwriting trusted target data that was previously set from...

6CVSS0.00254EPSS
Exploits1References2
Rows per page
Query Builder