CVE-2026-48522

A flaw was found in PyJWT, a JSON Web Token implementation in Python. The PyJWKClient component, prior to version 2.13.0, directly passes its Uniform Resource Identifier URI argument to urllib.request.urlopen. This allows a remote attacker, by influencing the application's jku URL ingestion path,...

Important: Red Hat Security Advisory: fence-agents security update

An update for fence-agents is now available for Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, i...

CVE-2026-48525

PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option "b64": false, RFC 7797, PyJWT performs Base64URL decoding of the compact-serialization payload segment before enforcing the detached-payload rules. For...

EUVD-2026-32917

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the...

EUVD-2026-32915

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen which uses Python stdlib's default OpenerDirector registering HTTPHandler, HTTPSHandler, FTPHandler, FileHandler, and DataHandler. There is currently no...

pyjwt 安全漏洞

pyjwt is a Python library developed by José Padilla of the United States. It allows for the encoding and decoding of JSON Web Tokens JWTs. Security vulnerabilities exist in versions 2.9.0 to 2.12.1 of pyjwt. These vulnerabilities arise when the jwt.decode or jwt.decodecomplete function is called...

Astra Linux - уязвимость в golang-github-golang-jwt-jwt

golang-jwt is a Go implementation of JSON Web Tokens. Starting from version 3.2.0 and before versions 5.2.2 and 4.5.2, the parse.ParseUnverified function splits its argument which contains untrusted data using periods. As a result, in the case of a malicious request where the Authorization header...

CVE-2026-44699

LibJWT is a C JSON Web Token Library. From 3.0.0 to 3.3.2, libjwt accepts an RSA JWK that does not contain an alg parameter as the verification key for an HS256/HS384/HS512 token. In the OpenSSL backend, this causes HMAC verification to run with a zero-length key, so an attacker can forge a valid...

@jsprismarine/client (>=0.1.0-rc.50 <=0.13.1-unstable-20250503082416), @jsprismarine/prismarine (>=0.12.2-unstable-20250320195345 <=0.13.1-unstable-20250503082416) +2 more potentially affected by CVE-2026-44351 via fast-jwt (>=6.0.0 <=6.0.1)

fast-jwt NPM version =6.0.0, =0.1.0-rc.50, =0.12.2-unstable-20250320195345, =0.1.0-rc.50, =0.1.0-rc.50, =0.1.0-rc.52 Source cves: CVE-2026-44351 Source advisory: SNYK:JS-FASTJWT-16439016...

AlmaLinux 10 : fence-agents (ALSA-2026:13916)

The remote AlmaLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2026:13916 advisory. pyjwt: PyJWT accepts unknown crit header extensions RFC 7515 ?4.1.11 MUST violation CVE-2026-32597 pyasn1: pyasn1 Vulnerable to Denial of Service via...

Oracle Linux 8 : fence-agents (ELSA-2026-12176)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2026-12176 advisory. - bundled cryptography: replace with dependency to fix CVE-2026-26007 - bundled PyJWT: replace with dependency to fix CVE-2026-32597 Tenable has...

SUSE SLED15 / SLES15 Security Update : python-PyJWT (SUSE-SU-2026:1400-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2026:1400-1 advisory. - CVE-2026-32597: Fixed unknown crit header extensions accepts bsc1259616. Tenable has extracted the preceding...

SUSE-SU-2026:20839-1 Security update for python-PyJWT

This update for python-PyJWT fixes the following issue: Update to PyJWT 2.12.1: - CVE-2026-32597: PyJWT accepts unknown crit header extensions bsc1259616. Changelog: Update to 2.12.1: - Add missing typingextensions dependency for Python 3.11 in 1150 Update to 2.12.0: - Annotate PyJWKSet.keys for...

Pac4J JWT 4.x < 4.5.9 / 5.x < 5.7.9 / 6.x < 6.3.3 Authentication Bypass

The version of Pac4J JWT installed on the remote host is affected by an authentication bypass vulnerability. - pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forg...

CVE-2021-41106

JWT is a library to work with JSON Web Token and JSON Web Signature. Prior to versions 3.4.6, 4.0.4, and 4.1.5, users of HMAC-based algorithms HS256, HS384, and HS512 combined with Lcobucci\JWT\Signer\Key\LocalFileReference as key are having their tokens issued/validated using the file path as...

[SECURITY] Fedora 43 Update: golang-github-jwt-5-5.2.1-6.fc43

A Go implementation of JSON Web Tokens...

Fedora 43 : golang-github-jwt-5 (2025-12b00d8e2c)

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-12b00d8e2c advisory. Rebuilt for CVE-2025-61723 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has no...

EUVD-2021-2000

Malware in sbrugna...

EUVD-2025-6727

Malicious code in bioql PyPI...

EUVD-2024-46857

Malicious code in bioql PyPI...