91 matches found
CVE-2026-48558
Summary of vulnerability (CVE-2026-48558) : SimpleHelp versions 5.5.15 and earlier and 6.0 pre-release contain an authentication bypass in the OpenID Connect (OIDC) flow. When OIDC is configured, identity tokens are accepted without cryptographic signature verification, allowing a remote, unauthe...
CVE-2026-36721
A lack of cryptographic signature verification in the validateAccessToken function of bookcars v8.3 allows attackers to bypass authentication via a forged JWT token...
CVE-2026-45156 Nextcloud: Authentication Bypass in ID4me handling via Missing JWT Signature Verification in User OIDC
Nextcloud is an open source content collaboration platform. From versions 0.3.0 to before 3.1.0, 5.0.0 to before 5.1.0, and 6.0.0 to before 6.4.0, a missing signature verification in User OIDC allowed a malicious ID4me authority to identify as any user. This issue has been patched in versions...
CVE-2026-44720
OpenLearnX (pre-2.0.4) has a critical authentication vulnerability where JWT signature verification is disabled, enabling an attacker to bypass authentication and take over user accounts. Impact is unauthorized access under specific conditions; the issue is fixed in 2.0.4. Remediation: upgrade to...
PT-2026-38281
Name of the Vulnerable Software and Affected Versions azureauthextension versions 0.124.0 through 0.150.0 Description A server-side authentication bypass exists in the azureauthextension when used by an OpenTelemetry receiver with auth: azure auth. The Authenticate function fails to validate...
CVE-2026-33746
Convoy is a KVM server management panel for hosting businesses. From version 3.9.0-beta to before version 4.5.1, the JWTService::decode method did not verify the cryptographic signature of JWT tokens. While the method configured a symmetric HMAC-SHA256 signer via lcobucci/jwt, it only validated...
CVE-2026-33746
Convoy (KVM server management panel) is vulnerable in versions 3.9.0-beta through
GHSA-Q926-C743-49QJ Centrifugo's InsecureSkipTokenSignatureVerify flag silently disables JWT verification with no warning
Summary Centrifugo supports a configuration flag insecureskiptokensignatureverify that completely disables JWT signature verification. When enabled, Centrifugo accepts any JWT token regardless of signature validity — including tokens signed with wrong keys, random signatures, or no signature at...
MiracleLinux 9 : open-vm-tools-12.1.5-1.el9.3.ML.1 (AXSA:2023-6439:10)
The remote MiracleLinux 9 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2023-6439:10 advisory. open-vm-tools: SAML token signature bypass CVE-2023-20900 Tenable has extracted the preceding description block directly from the MiracleLinux security...
OESA-2025-2431 google-oauth-java-client security update
Written by Google, the Google OAuth Client Library for Java is a powerful and easy-to-use Java library for the OAuth 1.0a and OAuth 2.0 authorization standards. The Google OAuth Client Library for Java is designed to work with any OAuth service on the web, not just with Google APIs. It is built o...
EUVD-2011-3106
Malware in sbrugna...
EUVD-2020-1445
Malware in sbrugna...
EUVD-2022-3429
Malicious code in bioql PyPI...
EUVD-2022-7158
Malicious code in bioql PyPI...
EUVD-2022-2377
Malicious code in bioql PyPI...
CVE-2021-22160
If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens JWT, the signature of the token is not validated if the algorithm of the presented token is set to "none". This allows an attacker to connect to Pulsar instances as any user incl. admins...
CVE-2024-54150 Algorithm Confusion Vulnerability in cjwt
cjwt is a C JSON Web Token JWT Implementation. Algorithm confusion occurs when a system improperly verifies the type of signature used, allowing attackers to exploit the lack of distinction between signing methods. If the system doesn't differentiate between an HMAC signed token and an RS/EC/PS...
RHEL 7 : open-vm-tools (RHSA-2024:5315)
The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:5315 advisory. The Open Virtual Machine Tools are the open source implementation of the VMware Tools. They are a set of guest operating system virtualization...
MGASA-2024-0058 Updated open-vm-tools packages fix security vulnerabilities
The updated packages fix security vulnerabilities: Authentication bypass vulnerability in the vgauth module. CVE-2023-20867 SAML token signature bypass. CVE-2023-34058 File descriptor hijack vulnerability in the vmware-user-suid-wrapper. CVE-2023-34059...
SUSE-SU-2024:0806-1 Security update for google-oauth-java-client
This update for google-oauth-java-client fixes the following issues: - CVE-2021-22573: Fixed token signature not verified bsc1199188...