Astra Linux – Vulnerability in golang-github-golang-jwt-jwt

golang-jwt is a Go implementation of JSON Web Tokens. Starting from version 3.2.0 and before versions 5.2.2 and 4.5.2, the parse.ParseUnverified function splits its argument which is untrusted data using periods. As a result, in the case of a malicious request where the Authorization header...

python-pyjwt: PyJWT: Authentication bypass due to forged JSON Web Tokens

A flaw was found in PyJWT, a Python library for JSON Web Token JWT implementation. When decoding JWTs, the library fails to validate the use of JSON Web Keys JWK in the HMAC algorithm while also supporting asymmetric algorithms. This allows a remote attacker to use the issuer's public key as the...

EUVD-2026-32915

PyJWKClient: missing scheme allowlist enables CVE-2024-21643-class SSRF + token forgery via file://, ftp://, data: schemes...

EUVD-2026-32917

PyJWT: Public-key JWK accepted as HMAC secret enables forged HS256 tokens when mixed families are allowed...

CVE-2026-48522

A flaw was found in PyJWT, a JSON Web Token implementation in Python. The PyJWKClient component, prior to version 2.13.0, directly passes its Uniform Resource Identifier URI argument to urllib.request.urlopen. This allows a remote attacker, by influencing the application's jku URL ingestion path,...

Important: Red Hat Security Advisory: fence-agents security update

An update for fence-agents is now available for Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, i...

CVE-2026-48525

PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option "b64": false, RFC 7797, PyJWT performs Base64URL decoding of the compact-serialization payload segment before enforcing the detached-payload rules. For...

pyjwt 安全漏洞

pyjwt is a Python library developed by José Padilla of the United States. It allows for the encoding and decoding of JSON Web Tokens JWTs. Security vulnerabilities exist in versions 2.9.0 to 2.12.1 of pyjwt. These vulnerabilities arise when the jwt.decode or jwt.decodecomplete function is called...

CVE-2026-44699

LibJWT is a C JSON Web Token Library. From 3.0.0 to 3.3.2, libjwt accepts an RSA JWK that does not contain an alg parameter as the verification key for an HS256/HS384/HS512 token. In the OpenSSL backend, this causes HMAC verification to run with a zero-length key, so an attacker can forge a valid...

@jsprismarine/client (>=0.12.2-unstable-20250320195345 <=0.13.1-unstable-20250503082416), @jsprismarine/prismarine (>=0.12.2-unstable-20250320195345 <=0.13.1-unstable-20250503082416) +1 more potentially affected by CVE-2026-44351 via fast-jwt (>=6.0.0 <=6.0.1)

fast-jwt NPM version =6.0.0, =0.12.2-unstable-20250320195345, =0.12.2-unstable-20250320195345, =0.12.2-unstable-20250320195345, =0.13.1-unstable-20250503082416 Source cves: CVE-2026-44351 Source advisory: SNYK:JS-FASTJWT-16439016...

AlmaLinux 10 : fence-agents (ALSA-2026:13916)

The remote AlmaLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2026:13916 advisory. pyjwt: PyJWT accepts unknown crit header extensions RFC 7515 ?4.1.11 MUST violation CVE-2026-32597 pyasn1: pyasn1 Vulnerable to Denial of Service via...

Oracle Linux 8 : fence-agents (ELSA-2026-12176)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2026-12176 advisory. - bundled cryptography: replace with dependency to fix CVE-2026-26007 - bundled PyJWT: replace with dependency to fix CVE-2026-32597 Tenable has...

SUSE SLED15 / SLES15 Security Update : python-PyJWT (SUSE-SU-2026:1400-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2026:1400-1 advisory. - CVE-2026-32597: Fixed unknown crit header extensions accepts bsc1259616. Tenable has extracted the preceding...

SUSE-SU-2026:20839-1 Security update for python-PyJWT

This update for python-PyJWT fixes the following issue: Update to PyJWT 2.12.1: - CVE-2026-32597: PyJWT accepts unknown crit header extensions bsc1259616. Changelog: Update to 2.12.1: - Add missing typingextensions dependency for Python 3.11 in 1150 Update to 2.12.0: - Annotate PyJWKSet.keys for...

Pac4J JWT 4.x < 4.5.9 / 5.x < 5.7.9 / 6.x < 6.3.3 Authentication Bypass

The version of Pac4J JWT installed on the remote host is affected by an authentication bypass vulnerability. - pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forg...

CVE-2021-41106

JWT is a library to work with JSON Web Token and JSON Web Signature. Prior to versions 3.4.6, 4.0.4, and 4.1.5, users of HMAC-based algorithms HS256, HS384, and HS512 combined with Lcobucci\JWT\Signer\Key\LocalFileReference as key are having their tokens issued/validated using the file path as...

[SECURITY] Fedora 43 Update: golang-github-jwt-5-5.2.1-6.fc43

A Go implementation of JSON Web Tokens...

Fedora 43 : golang-github-jwt-5 (2025-12b00d8e2c)

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-12b00d8e2c advisory. Rebuilt for CVE-2025-61723 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has no...

EUVD-2021-2000

Malware in sbrugna...

EUVD-2022-1028

Malicious code in bioql PyPI...