Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication when decoding JSON Web Tokens. An attacker can forge valid tokens by supplying a public key as the secret for the HMAC algorithm when both asymmetric and HMAC algorithms are supported. PoC python from jwt.apijws...

CVE-2026-48526

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the...

CLSA-2025-1763647564 xorg-x11-server-Xwayland: Fix of 3 CVEs

CVE-2024-0409: fix incorrect cursor private key usage in Xwayland/Xephyr that caused XSELINUX devPrivates corruption - CVE-2025-26597: fix buffer overflow in XkbChangeTypesOfKey by properly resizing key syms and actions when nGroups is zero - CVE-2025-26594: fix root cursor lifetime handling to...

EUVD-2018-18912

Malware in sbrugna...

EUVD-2022-25250

Malicious code in bioql PyPI...

EUVD-2025-25874

Malicious code in bioql PyPI...

Fuso 安全漏洞

Fuso is a small volume, fast, stable, efficient, and lightweight intranet penetration, port forwarding tool supports multiple connections, cascading proxy, and transmission encryption A small volume, fast, stable, efficient, and lightweight intranet penetration, port forwarding tool supports...

CVE-2025-21422

Cryptographic issue while processing crypto API calls, missing checks may lead to corrupted key usage or IV reuses...

PT-2025-28430 · Qualcomm · Snapdragon +189

Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. Description: A cryptographic issue exists while processing crypto API calls. Missing checks may lead to corrupted key usage or IV reuses. Recommendations: At the moment, there is no information about a...

GHSA-FJCF-3J3R-78RP LiteLLM Has an Improper Authorization Vulnerability

An improper authorization vulnerability exists in the main-latest version of BerriAI/litellm. When a user with the role 'internaluserviewer' logs into the application, they are provided with an overly privileged API key. This key can be used to access all the admin functionality of the applicatio...

CVE-2024-37282

It was identified that under certain specific preconditions, an API key that was originally created with a specific privileges could be subsequently used to create new API keys that have elevated privileges...

SUSE CVE-2017-17843

An issue was discovered in Enigmail before 1.9.9 that allows remote attackers to trigger use of an intended public key for encryption, because incorrect regular expressions are used for extraction of an e-mail address from a comma-separated list, as demonstrated by a modified Full Name field and ...

DEBIAN-CVE-2023-22497

Netdata is an open source option for real-time infrastructure monitoring and troubleshooting. Each Netdata Agent has an automatically generated MACHINE GUID. It is generated when the agent first starts and it is saved to disk, so that it will persist across restarts and reboots. Anyone who has...

CVE-2023-22497 Netdata is vulnerable to improper authentication

Netdata is an open source option for real-time infrastructure monitoring and troubleshooting. Each Netdata Agent has an automatically generated MACHINE GUID. It is generated when the agent first starts and it is saved to disk, so that it will persist across restarts and reboots. Anyone who has...

GHSA-FFQJ-6FQR-9H24 Key confusion through non-blocklisted public key formats

Impact What kind of vulnerability is it? Who is impacted? Disclosed by Aapo Oksman Senior Security Specialist, Nixu Corporation. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requir...

ALPINE-CVE-2022-1434

The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key. This makes the MAC key trivially predictable. An attacker could exploit this issue by performing a man-in-the-middle attack to modify data being sent from one endpoint to an OpenSSL 3.0 recipie...

UBUNTU-CVE-2022-1434

The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key. This makes the MAC key trivially predictable. An attacker could exploit this issue by performing a man-in-the-middle attack to modify data being sent from one endpoint to an OpenSSL 3.0 recipie...

Samsung SmartThings Privilege Management Vulnerability (CNVD-2025-02721)

Samsung SmartThings is an app from Samsung South Korea that connects smart devices. A privilege management vulnerability exists in Samsung SmartThings versions prior to 1.7.73.22, which stems from improper privilege management of the API key used by SmartThings, and can be exploited by an attacke...

UBUNTU-CVE-2017-17843

An issue was discovered in Enigmail before 1.9.9 that allows remote attackers to trigger use of an intended public key for encryption, because incorrect regular expressions are used for extraction of an e-mail address from a comma-separated list, as demonstrated by a modified Full Name field and ...