Lucene search
K

6 matches found

Github Security Blog
Github Security Blog
added 2026/06/15 7:28 p.m.10 views

PyJWKClient: missing scheme allowlist enables CVE-2024-21643-class SSRF + token forgery via file://, ftp://, data: schemes

!NOTE The library does not directly return non-HTTPS URI contents to the attacker; the chained "plant a JWKS to forge tokens" scenario described in the original report requires additional application-layer flaws attacker write access to a filesystem path, untrusted jku derivation that this fix do...

8.8CVSS5.6AI score0.02214EPSS
Exploits1References4Affected Software1
RedhatCVE
RedhatCVE
added 2026/06/04 10:17 p.m.9 views

CVE-2026-48522

A flaw was found in PyJWT, a JSON Web Token implementation in Python. The PyJWKClient component, prior to version 2.13.0, directly passes its Uniform Resource Identifier URI argument to urllib.request.urlopen. This allows a remote attacker, by influencing the application's jku URL ingestion path,...

4.2CVSS5.8AI score0.00181EPSS
Exploits1References4
CVE
CVE
added 2026/03/04 9:49 p.m.316 views

CVE-2026-29000

CVE-2026-29000 affects pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3. The issue is an authentication bypass in JwtAuthenticator when handling encrypted JWTs, enabling an attacker who has the server’s RSA public key to forge a JWE-wrapped PlainJWT with arbitrary subject and role claims. This...

9.3CVSS6AI score0.05856EPSS
Exploits17References3
CVE
CVE
added 2026/02/25 8:25 a.m.14 views

CVE-2026-1916

The CVE concerns the WPGSI: Spreadsheet Integration WordPress plugin (up to version 3.8.3). The vulnerability arises from missing authorization on two REST API functions (wpgsi_callBackFuncAccept and wpgsi_callBackFuncUpdate), where permission_callback => '__return_true' allows unauthenticated...

7.5CVSS5.7AI score0.00357EPSS
Exploits0References8
Tenable Nessus
Tenable Nessus
added 2025/03/06 12:0 a.m.7 views

Linux Distros Unpatched Vulnerability : CVE-2025-24032

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - PAM-PKCS11 is a Linux-PAM login module that allows a X.509 certificate based user login. Prior to version 0.6.13, if certpolicy is set to none the default value...

9.2CVSS7.3AI score0.00677EPSS
Exploits0References2
OSV
OSV
added 2017/08/24 4:29 p.m.7 views

PYSEC-2017-24

In PyJWT 1.5.0 and below the invalidstrings check in HMACAlgorithm.preparekey does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string -----BEGIN RSA PUBLIC KEY----- which is not accounted for. This enable...

7.5CVSS5.9AI score0.01804EPSS
Exploits0References3
Rows per page
Query Builder