CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSV•added 2026/05/28 4:16 p.m.•2 views

PYSEC-2026-176

PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode or jwt.decodecomplete are called with a PyJWK key. The token header alg is checked against the caller-supplied algorithms allow-list, but signature...

5.4CVSS5.8AI score0.00014EPSS

PyPA•added 2026/05/28 4:16 p.m.•8 views

PYSEC-2026-179

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the...

7.4CVSS5.8AI score0.00017EPSS

Exploits1References1Affected Software1

ATTACKERKB•added 2026/05/28 3:11 p.m.•3 views

CVE-2026-48525

PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option "b64": false, RFC 7797, PyJWT performs Base64URL decoding of the compact-serialization payload segment before enforcing the detached-payload rules. For...

5.3CVSS5.8AI score0.00054EPSS

Exploits1References2Affected Software1

EUVD•added 2026/05/28 3:0 p.m.•4 views

EUVD-2026-32915

4.2CVSS6AI score0.00034EPSS

Positive Technologies•added 2026/05/28 12:0 a.m.•7 views

PT-2026-44397

5.3CVSS5.8AI score0.00054EPSS

Exploits1References2

CVE•added 2026/05/27 5:33 p.m.•8 views

CVE-2026-45090

Dalfox (CVE-2026-45090) suffers a channel lifecycle bug in ParameterAnalysis.go: two sequential worker stages share a single results channel, which is closed after the first stage and then reused by the second stage for POST-body parameters. When a parameter is reflected, the second-stage writer ...

7.5CVSS5.8AI score0.00047EPSS

Exploits0References2

AstraLinux•added 2026/05/20 5:53 a.m.•2 views

Astra Linux - уязвимость в linux, linux-5.10, linux-5.15

The qfqchangeclass function in net/sched/schqfq.c in the Linux kernel before version 6.2.13 allows a out-of-bounds write vulnerability, as lmax can exceed QFQMINLMAX...

7.8CVSS6.7AI score0.00031EPSS

Exploits0References2

Tenable Nessus•added 2026/05/14 12:0 a.m.•6 views

Linux Distros Unpatched Vulnerability : CVE-2026-42580

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int,...

6.5CVSS6.9AI score0.00016EPSS

Exploits1References3

NVD•added 2026/05/13 7:17 p.m.•5 views

CVE-2026-42585

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final...

7.5CVSS0.00012EPSS

OSV•added 2026/05/13 7:17 p.m.•2 views

UBUNTU-CVE-2026-42580

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final...

6.5CVSS5.8AI score0.00016EPSS

Exploits1References3

Debian CVE•added 2026/05/13 6:0 p.m.•5 views

CVE-2026-42577

Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some code paths, a 100...

7.5CVSS5.8AI score0.00051EPSS

Exploits0

NVD•added 2026/05/09 12:16 a.m.•7 views

CVE-2026-44313

Linkwarden is a self-hosted, open-source collaborative bookmark manager to collect, organize and archive webpages. Prior to version 2.13.0, a Server-Side Request Forgery SSRF vulnerability in the fetchTitleAndHeaders function allows authenticated users to make arbitrary HTTP requests to internal...

9.1CVSS0.00014EPSS

CVE•added 2026/05/08 11:8 p.m.•8 views

CVE-2026-44313

CVE-2026-44313 (Linkwarden) : A SSRF vulnerability exists in the fetchTitleAndHeaders function prior to version 2.13.0, enabling authenticated users to cause arbitrary HTTP requests to internal services due to insufficient URL validation that only checks for the prefixes "http://" or "https://". ...

Vulnrichment•added 2026/05/08 11:8 p.m.•4 views

CVE-2026-44313 LinkWarden: Server-Side Request Forgery (SSRF) in Link Creation via fetchTitleAndHeaders Function

EUVD•added 2026/05/08 11:8 p.m.•4 views

EUVD-2026-28874

OSV•added 2026/05/08 5:47 a.m.•2 views

BIT-JRE-2026-23865

An integer overflow in the ttvarloaditemvariationstore function of the Freetype library in versions 2.13.2 and 2.13.3 may allow for an out of bounds read operation when parsing HVAR/VVAR/MVAR tables in OpenType variable fonts. This issue is fixed in version 2.14.2...

5.3CVSS7.3AI score0.00017EPSS

Exploits0References5

Positive Technologies•added 2026/05/08 12:0 a.m.•5 views

PT-2026-39224

Name of the Vulnerable Software and Affected Versions Linkwarden versions prior to 2.13.0 Description Insufficient URL validation in the fetchTitleAndHeaders function allows authenticated users to perform Server-Side Request Forgery SSRF, a flaw where the server is tricked into making requests to...