CVE-2026-34240

JOSE is a Javascript Object Signing and Encryption JOSE library. Prior to version 0.3.5+1, a vulnerability in jose could allow an unauthenticated, remote attacker to forge valid JWS/JWT tokens by using a key embedded in the JOSE header jwk. The vulnerability exists because key selection could tre...

cryptacular: excessive memory allocation during a decode operation

CiphertextHeader.java in Cryptacular 1.2.3, as used in Apereo CAS and other products, allows attackers to trigger excessive memory allocation during a decode operation, because the nonce array length associated with "new byte" may depend on untrusted input within the header of encoded data...

DEBIAN-CVE-2020-5247

In Puma RubyGem before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters i.e. CR, LF or/r, /n to end the header and inject malicious content, such as additional headers or an entirely new response body. This...

PT-2020-3715 · Ruby +2 · Puma +2

Name of the Vulnerable Software and Affected Versions: Puma versions prior to 4.3.2 Puma versions prior to 3.12.3 Description: The issue is related to HTTP Response Splitting, where an attacker can use newline characters CR, LF, or /r, /n to end a header and inject malicious content, such as...