EUVD-2026-32918

PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode or jwt.decodecomplete are called with a PyJWK key. The token header alg is checked against the caller-supplied algorithms allow-list, but signature...

CVE-2026-44351 fast-jwt: Empty HMAC secret accepted via async key resolver - JWT auth bypass

fast-jwt provides fast JSON Web Token JWT implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated attacker to forge arbitrary JWTs that are accepted as authentic. When the application's key resolver returns an...

Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses golang-jwt which is vulnerable to CVE-2025-30204

Summary IBM Maximo Application Suite - Visual Inspection component uses golang-jwt which is vulnerable to CVE-2025-30204, This bulletin contains information regarding the vulnerability and its remediation. Vulnerability Details CVEID:CVE-2025-30204 DESCRIPTION: golang-jwt is a Go implementation o...

EUVD-2022-0169

Malicious code in bioql PyPI...

golang-jwt: Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt

A flaw was found in the golang-jwt package. Unclear documentation of the error behavior in ParseWithClaims can lead to situation where users are not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by ParseWithClaims return both...

AZL-52236 CVE-2024-51744 affecting package etcd for versions less than 3.5.21-1

golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in ParseWithClaims can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by...

PHP-JWT Security Vulnerability

PHP-JWT is a simple library for encoding and decoding JSON Web Tokens JWT in PHP, compliant with RFC 7519. A security vulnerability exists in PHP-JWT version 1.0.0, which stems from the use of strcmp to authenticate, resulting in an authentication bypass vulnerability...

PT-2021-19229 · Unknown · Jwt Library +1

Name of the Vulnerable Software and Affected Versions: NATS Server versions 2.0.0 through 2.1.9 JWT library versions prior to 2.0.1 Description: The issue is related to Incorrect Access Control in the NATS server and JWT library. The validation of Import token bindings incorrectly warns on...

DEBIAN-CVE-2020-29362

An issue was discovered in p11-kit 0.21.1 through 0.23.21. A heap-based buffer over-read has been discovered in the RPC protocol used by thep11-kit server/remote commands and the client library. When the remote entity supplies a byte array through a serialized PKCS11 function call, the receiving...

ALPINE-CVE-2020-29362

An issue was discovered in p11-kit 0.21.1 through 0.23.21. A heap-based buffer over-read has been discovered in the RPC protocol used by thep11-kit server/remote commands and the client library. When the remote entity supplies a byte array through a serialized PKCS11 function call, the receiving...