Lucene search
K

112 matches found

Tenable Nessus
Tenable Nessus
added 2026/06/26 12:0 a.m.11 views

SUSE SLED15 / SLES15 Security Update : python-PyJWT (SUSE-SU-2026:2626-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2626-1 advisory. This update for python-PyJWT fixes the following issues - CVE-2026-48522: PyJWKClient passes URI arguments...

7.4CVSS5.8AI score0.00394EPSS
Exploits4References16
OSV
OSV
added 2026/06/15 5:28 p.m.7 views

GHSA-FHV5-28VV-H8M8 PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values (DoS)

!NOTE The vulnerability surfaces only when a JWKS fetch fails; an attacker can attempt to provoke that with sustained unknown-kid traffic, but the outcome depends on upstream JWKS-endpoint behavior rate limiting, transient errors which is beyond the attacker's control. Impact is reduced auth...

3.7CVSS5.3AI score0.00222EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/06/15 5:28 p.m.9 views

PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values (DoS)

!NOTE The vulnerability surfaces only when a JWKS fetch fails; an attacker can attempt to provoke that with sustained unknown-kid traffic, but the outcome depends on upstream JWKS-endpoint behavior rate limiting, transient errors which is beyond the attacker's control. Impact is reduced auth...

3.7CVSS5.2AI score0.00222EPSS
Exploits0References4Affected Software1
SUSE CVE
SUSE CVE
added 2026/05/30 1:59 a.m.18 views

SUSE CVE-2026-48524

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.getsigningkey forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited...

3.7CVSS5.8AI score0.00222EPSS
Exploits0References8
Tenable Nessus
Tenable Nessus
added 2026/05/29 12:0 a.m.10 views

Linux Distros Unpatched Vulnerability : CVE-2026-48524

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.getsigningkey forces a fresh HTTP request to the JWKS endpoint for every JWT wi...

3.7CVSS6AI score0.00222EPSS
Exploits0References4
PyPA
PyPA
added 2026/05/28 4:16 p.m.18 views

PYSEC-2026-177

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.getsigningkey forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited...

3.7CVSS5.8AI score0.00222EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2026/05/28 4:16 p.m.8 views

DEBIAN-CVE-2026-48524

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.getsigningkey forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited...

3.7CVSS5.8AI score0.00222EPSS
Exploits0References1
NVD
NVD
added 2026/05/28 4:16 p.m.17 views

CVE-2026-48524

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.getsigningkey forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited...

3.7CVSS0.00222EPSS
Exploits0References1
OSV
OSV
added 2026/05/28 4:16 p.m.9 views

PYSEC-2026-177

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.getsigningkey forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited...

3.7CVSS5.8AI score0.00222EPSS
Exploits0References1
OSV
OSV
added 2026/05/28 4:16 p.m.10 views

UBUNTU-CVE-2026-48524

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.getsigningkey forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited...

3.7CVSS5.8AI score0.00222EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/28 3:7 p.m.11 views

CVE-2026-48524 PyJWT: PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values (DoS)

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.getsigningkey forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited...

3.7CVSS5.8AI score0.00222EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/28 3:7 p.m.9 views

CVE-2026-48524

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.getsigningkey forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited...

3.7CVSS5.8AI score0.00222EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/05/28 3:7 p.m.35 views

CVE-2026-48524 PyJWT: PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values (DoS)

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.getsigningkey forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited...

3.7CVSS0.00222EPSS
Exploits0References1
CVE
CVE
added 2026/05/28 3:7 p.m.49 views

CVE-2026-48524

CVE-2026-48524 affects PyJWT prior to 2.13.0. The issue is in PyJWKClient.get_signing_key(), which can force a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since the kid is from an unverified token header, an attacker can trigger unlimite...

3.7CVSS5.8AI score0.00222EPSS
Exploits0References1Affected Software1
Debian CVE
Debian CVE
added 2026/05/28 3:7 p.m.9 views

CVE-2026-48524

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.getsigningkey forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited...

3.7CVSS5.8AI score0.00222EPSS
Exploits0
GithubExploit
GithubExploit
added 2026/05/22 4:17 p.m.75 views

jwt-pwn

jwt-pwn A zero-dependency Python 3 toolkit for discovering an...

9.8CVSS7.4AI score0.08655EPSS
Exploits3
GithubExploit
GithubExploit
added 2026/04/14 6:44 a.m.215 views

jwt-attack-suite

JWT Attack Suite Offensive JWT testing toolkit for penetrat...

9.8CVSS5.9AI score0.42651EPSS
Exploits9
EUVD
EUVD
added 2026/03/25 6:31 p.m.4 views

EUVD-2026-15859

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in CreativeWS Kiddy kiddy allows PHP Local File Inclusion.This issue affects Kiddy: from n/a through = 2.0.8...

5.8AI score0.00403EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/13 8:3 p.m.4 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetchKey function. An attacker can cause the server to make arbitrary HTTP requests to attacker-controlled destinations by crafting a JWT with malicious claim values that are interpolated into th...

9.3CVSS5.9AI score0.00258EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/13 8:3 p.m.3 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetchKey function. An attacker can cause the server to make arbitrary HTTP requests to attacker-controlled destinations by crafting a JWT with malicious claim values that are interpolated into th...

9.3CVSS5.9AI score0.00258EPSS
Exploits1References2
Rows per page
Query Builder