python-pyjwt: PyJWT: Authentication bypass due to forged JSON Web Tokens

A flaw was found in PyJWT, a Python library for JSON Web Token JWT implementation. When decoding JWTs, the library fails to validate the use of JSON Web Keys JWK in the HMAC algorithm while also supporting asymmetric algorithms. This allows a remote attacker to use the issuer's public key as the...

EUVD-2019-7402

Malware in sbrugna...

EUVD-2009-4476

Malware in sbrugna...

EUVD-2016-7738

Malware in sbrugna...

EUVD-2021-13993

Malware in sbrugna...

EUVD-2008-2282

Malware in sbrugna...

EUVD-2014-0395

Malware in sbrugna...

EUVD-2020-8229

Malware in sbrugna...

EUVD-2018-19613

Malware in sbrugna...

EUVD-2022-48297

Malicious code in bioql PyPI...

EUVD-2024-51560

Malicious code in bioql PyPI...

WordPress AI Image Lab - Free AI Image Generator plugin cross-site request forgery vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress plugin is an application plugin. A cross-site request forgery vulnerability exists in the WordPress AI Image Lab - Free AI Image Generator plugin, which stems from missing or incorrect validation of random...

CVE-2025-26521

When an Apache CloudStack user-account creates a CKS-based Kubernetes cluster in a project, the API key and the secret key of the 'kubeadmin' user of the caller account are used to create the secret config in the CKS-based Kubernetes cluster. A member of the project who can access the CKS-based...

CVE-2025-5164

A vulnerability has been found in PerfreeBlog 4.0.11 and classified as problematic. This vulnerability affects the function JwtUtil of the component JWT Handler. The manipulation leads to use of hard-coded cryptographic key . The attack can be initiated remotely. The complexity of an attack is...

CVE-2024-48930

secp256k1-node is a Node.js binding for an Optimized C library for EC operations on curve secp256k1. In elliptic-based version, loadUncompressedPublicKey has a check that the public key is on the curve. Prior to versions 5.0.1, 4.0.4, and 3.8.1, however, loadCompressedPublicKey is missing that...

CVE-2025-29311

CVE-2025-29311 affects ONOS v2.7.0, where a limited secret space in LLDP packets can let an attacker brute-force obtain the private key and craft LLDP packets. The public documents confirm the vulnerability and potential for exploit via crafted LLDP frames, but do not provide a concrete patch ver...

CVE-2025-22609

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to attach any existing private key on a coolify instance to his own server. If the server configuration of I...

CVE-2024-7894

The If Menu plugin for WordPress is vulnerable to unauthorized modification of the plugin's license key due to a missing capability check on the 'actions' function in versions up to, and including, 0.19.1. This makes it possible for unauthenticated attackers to modify delete or modify the license...

TRCore DVC Trust Management Issue Vulnerability

TRCore DVC is a file insurance system from TRCore China. TRCore DVC suffers from a trust management issue vulnerability that originates from encrypting a file using a hard-coded key, which can be exploited by an attacker to decrypt the file using the hard-coded key and recover the original conten...

CVE-2023-43631

The CVE-2023-43631 issue affects the Pillar/EVE container in EVE OS. On boot, the container checks for /config/authorized_keys and, if a valid public key is present, enables SSH on port 22 for root login. The /config partition is not protected by measured boot, is mutable, and unencrypted, allowi...