Lucene search
K

33 matches found

CVE
CVE
added 5 days ago10 views

CVE-2026-59219

Open WebUI 0.9.0–0.10.0: with Redis configured, the terminal websocket first-message authentication used decode_token without a Redis-backed is_valid_token revocation check, allowing revoked JWTs to continue authenticating realtime connections. Fixed in version 0.10.0. This affects realtime endpo...

7.1CVSS5.9AI score0.00259EPSS
Exploits1References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.16 views

PT-2026-55297

Name of the Vulnerable Software and Affected Versions Dapr affected versions not specified Description Dapr Sentry's OIDC discovery endpoint /.well-known/openid-configuration derives the issuer and jwks uri from the request Host. When no allowed-hosts list is configured, the system honors an...

8.2CVSS6AI score0.00246EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 2026/06/25 8:57 p.m.71 views

CVE-2026-11800

A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to bypass signature verification. By forging an assertion, the attacker can create unauthorized access tokens. This enables the attacker to...

8.1CVSS5.8AI score0.00181EPSS
Exploits0References5
vulnersOsv
vulnersOsv
added 2026/03/20 8:35 p.m.4 views

jsonwebtoken-aws-lc (=9.3.0), jwts (>=0.5.0 <=0.5.1) +2 more potentially affected by CVE-2026-4428 via aws-lc-sys (=0.21.0)

aws-lc-sys CARGO version =0.21.0 is affected by a known vulnerability. The following packages have a transitive dependency on aws-lc-sys and may be impacted: - jsonwebtoken-aws-lc =9.3.0 - jwts =0.5.0, =0.102.6, =0.20.0, =0.31.0 Source cves: CVE-2026-4428 Source advisory: OSV:GHSA-9F94-5G5W-GF6R...

9.1CVSS5.8AI score0.00252EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/03/19 12:0 p.m.3 views

jsonwebtoken-aws-lc (=9.3.0), jwts (>=0.5.0 <=0.5.1) +2 more potentially affected by CVE-2026-4428 via aws-lc-sys (=0.21.0)

aws-lc-sys CARGO version =0.21.0 is affected by a known vulnerability. The following packages have a transitive dependency on aws-lc-sys and may be impacted: - jsonwebtoken-aws-lc =9.3.0 - jwts =0.5.0, =0.102.6, =0.20.0, =0.31.0 Source cves: CVE-2026-4428 Source advisory: OSV:RUSTSEC-2026-0048...

9.1CVSS5.8AI score0.00252EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/03/03 8:9 p.m.3 views

jsonwebtoken-aws-lc (=9.3.0), jwts (>=0.5.0 <=0.5.1) +2 more potentially affected by CVE-2026-3337 via aws-lc-sys (>=0.14.1 <=0.21.0)

aws-lc-sys CARGO version =0.14.1, =0.5.0, =0.102.2, =0.20.0, =0.31.0 Source cves: CVE-2026-3337 Source advisory: OSV:GHSA-65P9-R9H6-22VJ...

8.2CVSS7.4AI score0.01079EPSS
Exploits0
Tenable Nessus
Tenable Nessus
added 2026/02/11 12:0 a.m.8 views

Keycloak < 26.5.3 Multiple Vulnerabilities

Keycloak versions installed prior to 26.5.3 are affected by multiple vulnerabilities as referenced in the advisory. - A flaw in Keycloak where the JSON Web Token JWT authorization grant preview feature fails to validate a user's disabled status during JWT authorization grant processing. When this...

8.8CVSS7.3AI score0.00453EPSS
Exploits2References11
AstraLinux
AstraLinux
added 2026/01/13 2:1 p.m.5 views

Astra Linux – Vulnerability in Ceph

Ceph is a distributed object, block, and file storage platform. In versions 19.2.3 and earlier, it is possible to send a JWT with “none” as its JWT algorithm. By doing this, the JWT signature is not checked. The vulnerability lies most likely in the RadosGW OIDC provider. As of the time of...

8.1CVSS7.2AI score0.00192EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/01/09 9:20 a.m.10 views

CVE-2021-33846

Fresenius Kabi Vigilant Software Suite Mastermed Dashboard version 2.0.1.3 issues authentication tokens to authenticated users that are signed with a symmetric encryption key. An attacker in possession of the key can issue valid JWTs and impersonate arbitrary users...

7.2CVSS7AI score0.00313EPSS
Exploits0References1
EUVD
EUVD
added 2025/10/03 8:7 p.m.6 views

EUVD-2023-0397

Malicious code in bioql PyPI...

8.8CVSS8.3AI score0.00796EPSS
Exploits0References4
Prion
Prion
added 2023/07/17 9:15 p.m.20 views

Design/Logic Flaw

CasaOS is an open-source Personal Cloud system. Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and execute arbitrary commands as root on CasaOS instances. This problem was addressed by improving the validation of JWTs in commit 705bf1f...

7.5CVSS9.8AI score0.05871EPSS
Exploits1References2Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2023/07/17 12:0 a.m.26 views

CasaOS contains weak JWT secrets

Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and execute arbitrary commands as root on CasaOS instances...

9.8CVSS9.9AI score0.05871EPSS
Exploits1References7Affected Software1
Hacker One
Hacker One
added 2023/02/17 7:23 p.m.75 views

Internet Bug Bounty: CVE-2023-23919: Multiple OpenSSL error handling issues in nodejs crypto library

Multiple OpenSSL error handling issues were found in the Node.js crypto library. In some cases, Node.js did not clear the OpenSSL error stack after operations that may have set it, which could lead to false positive errors during subsequent cryptographic operations on the same thread and...

7.5CVSS7.5AI score0.02209EPSS
Exploits1
Prion
Prion
added 2023/01/26 9:18 p.m.20 views

Design/Logic Flaw

OpenSearch is an open source distributed and RESTful search engine. OpenSearch uses JWTs to store role claims obtained from the Identity Provider IdP when the authentication backend is SAML or OpenID Connect. There is an issue in how those claims are processed from the JWTs where the leading and...

6.5CVSS8.5AI score0.00796EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2022/05/24 10:28 p.m.5 views

GHSA-4V96-M8XV-X83V Broken Authentication in Atlassian Connect Express

Broken Authentication in Atlassian Connect Express ACE from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or...

7.7CVSS6.6AI score0.00897EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2022/05/13 1:42 a.m.38 views

PyJWT vulnerable to key confusion attacks

In PyJWT 1.5.0 and below the invalidstrings check in HMACAlgorithm.preparekey does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string -----BEGIN RSA PUBLIC KEY----- which is not accounted for. This enable...

7.5CVSS3.7AI score0.01804EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2022/05/13 1:17 a.m.41 views

Cisco node-jose improper validation of JWT signature

A vulnerability in the Cisco node-jose open source library before 0.11.0 could allow an unauthenticated, remote attacker to re-sign tokens using a key that is embedded within the token. The vulnerability is due to node-jose following the JSON Web Signature JWS standard for JSON Web Tokens JWTs...

7.5CVSS6.7AI score0.42651EPSS
Exploits6References7Affected Software1
OSV
OSV
added 2022/05/13 1:17 a.m.14 views

GHSA-JFXM-W8G2-4RCV Cisco node-jose improper validation of JWT signature

A vulnerability in the Cisco node-jose open source library before 0.11.0 could allow an unauthenticated, remote attacker to re-sign tokens using a key that is embedded within the token. The vulnerability is due to node-jose following the JSON Web Signature JWS standard for JSON Web Tokens JWTs...

7.5CVSS7.3AI score0.42651EPSS
Exploits6References7
Prion
Prion
added 2022/01/21 7:15 p.m.19 views

Authentication flaw

Fresenius Kabi Vigilant Software Suite Mastermed Dashboard version 2.0.1.3 issues authentication tokens to authenticated users that are signed with a symmetric encryption key. An attacker in possession of the key can issue valid JWTs and impersonate arbitrary users...

6.5CVSS7.5AI score0.00313EPSS
Exploits0References1Affected Software6
Cvelist
Cvelist
added 2022/01/21 6:17 p.m.31 views

CVE-2021-33846 Fresenius Kabi Agilia Connect Infusion System use of a broken or risky cryptographic algorithm

Fresenius Kabi Vigilant Software Suite Mastermed Dashboard version 2.0.1.3 issues authentication tokens to authenticated users that are signed with a symmetric encryption key. An attacker in possession of the key can issue valid JWTs and impersonate arbitrary users...

5.9CVSS7.2AI score0.00313EPSS
Exploits0References1
Rows per page
Query Builder