MAL-2026-5608 Malicious code in claimora (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1b785b842f24aeae0e20157784b17a8bff7003e72575ac9a3aa9cbeb550a5c92 claimora impersonates the jsonwebtoken library auth0: package.json sets author to "auth0", points repository at a non-existent...

Malicious code in claimora (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1b785b842f24aeae0e20157784b17a8bff7003e72575ac9a3aa9cbeb550a5c92 claimora impersonates the jsonwebtoken library auth0: package.json sets author to "auth0", points repository at a non-existent...

ROOT-APP-NPM-CVE-2022-23541 CVE-2022-23541 in @rootio/jsonwebtoken - Patched by Root

Root has patched CVE-2022-23541 in the @rootio/jsonwebtoken package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2022-23539 CVE-2022-23539 in @rootio/jsonwebtoken - Patched by Root

Root has patched CVE-2022-23539 in the @rootio/jsonwebtoken package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2022-23540 CVE-2022-23540 in @rootio/jsonwebtoken - Patched by Root

Root has patched CVE-2022-23540 in the @rootio/jsonwebtoken package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-NSWG-ECO-17 NSWG-ECO-17 in @rootio/jsonwebtoken - Patched by Root

Root has patched NSWG-ECO-17 in the @rootio/jsonwebtoken package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2015-9235 CVE-2015-9235 in @rootio/jsonwebtoken - Patched by Root

Root has patched CVE-2015-9235 in the @rootio/jsonwebtoken package for Root:npm. Multiple fixed versions available...

PT-2026-49161

Root has patched NSWG-ECO-17 in the @rootio/jsonwebtoken package for Root:npm. Multiple fixed versions available...

Malicious code in jsontoken-extend (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 59a8a8ab722d33bdd2ea25422aaf7e607a1b1a881446c3561ec8225fb9187742 On require/import of jsontoken-extend, sign.js executes a top-level IIFE that base64-decodes a hardcoded string to https://www.jsonkeeper.com/b/XAMRK...

MAL-2026-4592 Malicious code in jsontoken-extend (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 59a8a8ab722d33bdd2ea25422aaf7e607a1b1a881446c3561ec8225fb9187742 On require/import of jsontoken-extend, sign.js executes a top-level IIFE that base64-decodes a hardcoded string to https://www.jsonkeeper.com/b/XAMRK...

jsonwebtoken-aws-lc (=9.3.0), jwts (>=0.5.0 <=0.5.1) +2 more potentially affected by CVE-2026-4428 via aws-lc-sys (=0.21.0)

aws-lc-sys CARGO version =0.21.0 is affected by a known vulnerability. The following packages have a transitive dependency on aws-lc-sys and may be impacted: - jsonwebtoken-aws-lc =9.3.0 - jwts =0.5.0, =0.102.6, =0.20.0, =0.31.0 Source cves: CVE-2026-4428 Source advisory: OSV:GHSA-9F94-5G5W-GF6R...

jsonwebtoken-aws-lc (=9.3.0), jwts (>=0.5.0 <=0.5.1) +2 more potentially affected by CVE-2026-4428 via aws-lc-sys (=0.21.0)

aws-lc-sys CARGO version =0.21.0 is affected by a known vulnerability. The following packages have a transitive dependency on aws-lc-sys and may be impacted: - jsonwebtoken-aws-lc =9.3.0 - jwts =0.5.0, =0.102.6, =0.20.0, =0.31.0 Source cves: CVE-2026-4428 Source advisory: OSV:RUSTSEC-2026-0048...

jsonwebtoken-aws-lc (=9.3.0), jwts (>=0.5.0 <=0.5.1) +2 more potentially affected by CVE-2026-3337 via aws-lc-sys (>=0.14.1 <=0.21.0)

aws-lc-sys CARGO version =0.14.1, =0.5.0, =0.102.2, =0.20.0, =0.31.0 Source cves: CVE-2026-3337 Source advisory: OSV:GHSA-65P9-R9H6-22VJ...

[SECURITY] Fedora 42 Update: rust-jsonwebtoken-9.3.1-4.fc42

Create and decode JWTs in a strongly typed way...

Linux Distros Unpatched Vulnerability : CVE-2026-25537

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - jsonwebtoken is a JWT lib in rust. Prior to version 10.3.0, there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic...

DEBIAN-CVE-2026-25537

jsonwebtoken is a JWT lib in rust. Prior to version 10.3.0, there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim such as nbf or exp is provided with an incorrect JSON type Like a String instead of a Number, the library’s...

CVE-2026-25537

jsonwebtoken is a JWT lib in rust. Prior to version 10.3.0, there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim such as nbf or exp is provided with an incorrect JSON type Like a String instead of a Number, the library’s...

CVE-2026-25537

jsonwebtoken is a JWT lib in rust. Prior to version 10.3.0, there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim such as nbf or exp is provided with an incorrect JSON type Like a String instead of a Number, the library’s...

UBUNTU-CVE-2026-25537

jsonwebtoken is a JWT lib in rust. Prior to version 10.3.0, there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim such as nbf or exp is provided with an incorrect JSON type Like a String instead of a Number, the library’s...

CVE-2026-25537

CVE-2026-25537 concerns a type-confusion in the jsonwebtoken crate (Rust) prior to 10.3.0, where malformed standard claims may be treated as not present, bypassing time-based checks. Connected Fedora advisories indicate vaultwarden (Bitwarden-compatible server) updates to 1.36.0 address multiple ...