EUVD-2023-44776

Malicious code in bioql PyPI...

File Browser’s insecure JWT handling can lead to session replay attacks after logout

Summary File Browser’s authentication system issues long-lived JWT tokens that remain valid even after the user logs out. Please refer to the CWE's listed in this report for further reference and system standards. In summary, the main issue is: - Tokens remain valid after logout session replay...

CVE-2025-35940

The ArchiverSpaApi ASP.NET application uses a hard-coded JWT signing key. An unauthenticated remote attacker can generate and use a verifiable JWT token to access protected ArchiverSpaApi URL endpoints...

CVE-2025-49001

DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.10, secret verification does not take effect successfully, so a user can use any secret to forge a JWT token. The vulnerability has been fixed in v2.10.10. No known workarounds are available...

CVE-2022-44796

An issue was discovered in Object First Ootbi BETA build 1.0.7.712. The authorization service has a flow that allows getting access to the Web UI without knowing credentials. For signing, the JWT token uses a secret key that is generated through a function that doesn't produce cryptographically...

PT-2025-21029 · Zkt · Zkbio Cvsecurity

Name of the Vulnerable Software and Affected Versions: ZKT ZKBio CVSecurity version 6.4.1 R Description: An unauthenticated attacker can craft a JWT token using a hardcoded secret to authenticate to the service console. Recommendations: For ZKT ZKBio CVSecurity version 6.4.1 R, update the softwar...

CVE-2025-45746

In ZKT ZKBio CVSecurity 6.4.1R an unauthenticated attacker can craft JWT token using the hardcoded secret to authenticate to the service console. NOTE: the Supplier disputes the significance of this report because the service console is typically only accessible from a local area network, and...

CVE-2024-34354

CMSaaSStarter is a SaaS template/boilerplate built with SvelteKit, Tailwind, and Supabase. Any forks of the CMSaaSStarter template before commit 7904d416d2c72ec75f42fbf51e9e64fa74062ee6 are impacted. The issue is the user JWT Token is not verified on server session. You should take the patch...

PT-2023-5389 · D Link · D-Link D-View 8

Name of the Vulnerable Software and Affected Versions: D-Link D-View 8 version 2.0.1.28 Description: The issue is related to the use of a static key for protecting JWT tokens in user authentication, which can allow an attacker to bypass security restrictions and gain unauthorized access to...

CVE-2023-39846

An issue in Konga v0.14.9 allows attackers to bypass authentication via a crafted JWT token...

PT-2022-27316 · Unknown · Object First Ootbi Beta

Name of the Vulnerable Software and Affected Versions: Object First Ootbi BETA versions 1.0.7.712 through 1.0.13.1610 Description: An issue was discovered in the authorization service, allowing access to the Web UI without knowing credentials. The JWT token uses a secret key generated through a...

OPENSUSE-SU-2021:1225-1 Security update for dovecot23

This update for dovecot23 fixes the following issues: Update dovecot to version 2.3.15 jscSLE-19970: Security issues fixed: - CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in JWT tokens. This may be used to supply attacker controlled keys to validate tokens, if attacker has...