https://vulnerability.circl.lu Contains only the most 10 recent sightings. http://www.rssboard.org/rss-specification python-feedgen en Mon, 22 Jun 2026 17:07:04 +0000 https://vulnerability.circl.lu/sighting/6120e7f4-67dc-4baa-9b25-dde308a13b94/export {"uuid": "6120e7f4-67dc-4baa-9b25-dde308a13b94", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48525", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mmwleu26lh2k", "content": "CVE-2026-48525 - PyJWT: Unauthenticated DoS via unbounded Base64URL decoding of unused payload segment in b64=false detached JWS\nCVE ID : CVE-2026-48525\n \n Published : May 28, 2026, 4:16 p.m. | 15\u00a0minutes ago\n \n Description : PyJWT is a JSON Web Token implementation in Python....", "creation_timestamp": "2026-05-28T17:48:23.732898Z"} {"uuid": "6120e7f4-67dc-4baa-9b25-dde308a13b94", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48525", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mmwleu26lh2k", "content": "CVE-2026-48525 - PyJWT: Unauthenticated DoS via unbounded Base64URL decoding of unused payload segment in b64=false detached JWS\nCVE ID : CVE-2026-48525\n \n Published : May 28, 2026, 4:16 p.m. | 15\u00a0minutes ago\n \n Description : PyJWT is a JSON Web Token implementation in Python....", "creation_timestamp": "2026-05-28T17:48:23.732898Z"} https://vulnerability.circl.lu/sighting/6120e7f4-67dc-4baa-9b25-dde308a13b94/export Thu, 28 May 2026 17:48:23 +0000 https://vulnerability.circl.lu/sighting/d412ee9d-9fef-437a-a608-1ad70b95b8e4/export {"uuid": "d412ee9d-9fef-437a-a608-1ad70b95b8e4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48522", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mmwlnshmtl2k", "content": "CVE-2026-48522 - PyJWKClient: missing scheme allowlist enables SSRF + token forgery via file://, ftp://, data: schemes\nCVE ID : CVE-2026-48522\n \n Published : May 28, 2026, 4:16 p.m. | 15\u00a0minutes ago\n \n Description : PyJWT is a JSON Web Token implementation in Python. Prior to ...", "creation_timestamp": "2026-05-28T17:53:23.839388Z"} {"uuid": "d412ee9d-9fef-437a-a608-1ad70b95b8e4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48522", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mmwlnshmtl2k", "content": "CVE-2026-48522 - PyJWKClient: missing scheme allowlist enables SSRF + token forgery via file://, ftp://, data: schemes\nCVE ID : CVE-2026-48522\n \n Published : May 28, 2026, 4:16 p.m. | 15\u00a0minutes ago\n \n Description : PyJWT is a JSON Web Token implementation in Python. Prior to ...", "creation_timestamp": "2026-05-28T17:53:23.839388Z"} https://vulnerability.circl.lu/sighting/d412ee9d-9fef-437a-a608-1ad70b95b8e4/export Thu, 28 May 2026 17:53:23 +0000 https://vulnerability.circl.lu/sighting/181f84c1-b0ec-4f00-bf6c-d4800f998861/export {"uuid": "181f84c1-b0ec-4f00-bf6c-d4800f998861", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48527", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mmyuju2ije22", "content": "CVE-2026-48527 - HaxCMS has a stored Cross-Site Scripting (XSS) bypass in saveNode endpoint\nCVE ID : CVE-2026-48527\n \n Published : May 29, 2026, 1:16 p.m. | 1\u00a0hour, 55\u00a0minutes ago\n \n Description : HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions up...", "creation_timestamp": "2026-05-29T15:37:37.120252Z"} {"uuid": "181f84c1-b0ec-4f00-bf6c-d4800f998861", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48527", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mmyuju2ije22", "content": "CVE-2026-48527 - HaxCMS has a stored Cross-Site Scripting (XSS) bypass in saveNode endpoint\nCVE ID : CVE-2026-48527\n \n Published : May 29, 2026, 1:16 p.m. | 1\u00a0hour, 55\u00a0minutes ago\n \n Description : HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions up...", "creation_timestamp": "2026-05-29T15:37:37.120252Z"} https://vulnerability.circl.lu/sighting/181f84c1-b0ec-4f00-bf6c-d4800f998861/export Fri, 29 May 2026 15:37:37 +0000 https://vulnerability.circl.lu/sighting/e21227da-aaa1-48de-afda-d908512fbc23/export {"uuid": "e21227da-aaa1-48de-afda-d908512fbc23", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48527", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mn45s4mkta2s", "content": "\ud83d\udfe0 CVE-2026-48527 - High (8.7)\n\nHAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions up to and including...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-48527/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-05-30T23:01:15.705522Z"} {"uuid": "e21227da-aaa1-48de-afda-d908512fbc23", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48527", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mn45s4mkta2s", "content": "\ud83d\udfe0 CVE-2026-48527 - High (8.7)\n\nHAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions up to and including...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-48527/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-05-30T23:01:15.705522Z"} https://vulnerability.circl.lu/sighting/e21227da-aaa1-48de-afda-d908512fbc23/export Sat, 30 May 2026 23:01:15 +0000 https://vulnerability.circl.lu/sighting/f37007a3-5fbd-471b-9966-f4bba1f6fcf4/export {"uuid": "f37007a3-5fbd-471b-9966-f4bba1f6fcf4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48526", "type": "seen", "source": "https://gist.github.com/alon710/93387c2165378ba3df7fa81047a5bf97", "content": "# CVE-2026-48526: CVE-2026-48526: Algorithm Confusion Vulnerability in PyJWT\n\n> **CVSS Score:** 7.4\n> **Published:** 2026-05-28\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48526\n\n## Summary\nCVE-2026-48526 is an algorithm-confusion vulnerability in PyJWT prior to version 2.13.0. When an application decodes tokens using a raw JSON Web Key (JWK) string while simultaneously supporting mixed algorithm families (symmetric and asymmetric), PyJWT does not validate that the key matches its intended algorithm context. This allows an attacker to sign a forged token using the public JWK string as an HMAC symmetric secret, bypassing authentication controls.\n\n## TL;DR\nAn algorithm-confusion vulnerability in PyJWT allows remote attackers to bypass authentication by signing forged tokens with a public JWK string treated as a symmetric HMAC secret.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-287\n- **Attack Vector**: Network\n- **CVSS**: 7.4\n- **EPSS Score**: 0.00017\n- **Impact**: High\n- **Exploit Status**: Proof-of-Concept\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- pyjwt (Python JSON Web Token Library)\n- **pyjwt**: < 2.13.0 (Fixed in: `2.13.0`)\n\n## Mitigation\n\n- Upgrade pyjwt to version 2.13.0 or later.\n- Do not allow mixed algorithm families in jwt.decode calls.\n- Parse public keys explicitly using PyJWK rather than passing raw JSON strings.\n\n**Remediation Steps:**\n1. Run `pip install --upgrade pyjwt` to update to 2.13.0+.\n2. Review jwt.decode usage to ensure the algorithms list is restricted strictly to either symmetric (e.g. HS256) or asymmetric (e.g. RS256) families.\n3. Modify raw key-loading paths to parse JWK dictionaries using `jwt.PyJWK` before verification.\n\n## References\n\n- [NVD - CVE-2026-48526](https://nvd.nist.gov/vuln/detail/CVE-2026-48526)\n- [CVE-2026-48526 Record](https://www.cve.org/CVERecord?id=CVE-2026-48526)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48526) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-04T08:21:13.000000Z"} {"uuid": "f37007a3-5fbd-471b-9966-f4bba1f6fcf4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48526", "type": "seen", "source": "https://gist.github.com/alon710/93387c2165378ba3df7fa81047a5bf97", "content": "# CVE-2026-48526: CVE-2026-48526: Algorithm Confusion Vulnerability in PyJWT\n\n> **CVSS Score:** 7.4\n> **Published:** 2026-05-28\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48526\n\n## Summary\nCVE-2026-48526 is an algorithm-confusion vulnerability in PyJWT prior to version 2.13.0. When an application decodes tokens using a raw JSON Web Key (JWK) string while simultaneously supporting mixed algorithm families (symmetric and asymmetric), PyJWT does not validate that the key matches its intended algorithm context. This allows an attacker to sign a forged token using the public JWK string as an HMAC symmetric secret, bypassing authentication controls.\n\n## TL;DR\nAn algorithm-confusion vulnerability in PyJWT allows remote attackers to bypass authentication by signing forged tokens with a public JWK string treated as a symmetric HMAC secret.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-287\n- **Attack Vector**: Network\n- **CVSS**: 7.4\n- **EPSS Score**: 0.00017\n- **Impact**: High\n- **Exploit Status**: Proof-of-Concept\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- pyjwt (Python JSON Web Token Library)\n- **pyjwt**: < 2.13.0 (Fixed in: `2.13.0`)\n\n## Mitigation\n\n- Upgrade pyjwt to version 2.13.0 or later.\n- Do not allow mixed algorithm families in jwt.decode calls.\n- Parse public keys explicitly using PyJWK rather than passing raw JSON strings.\n\n**Remediation Steps:**\n1. Run `pip install --upgrade pyjwt` to update to 2.13.0+.\n2. Review jwt.decode usage to ensure the algorithms list is restricted strictly to either symmetric (e.g. HS256) or asymmetric (e.g. RS256) families.\n3. Modify raw key-loading paths to parse JWK dictionaries using `jwt.PyJWK` before verification.\n\n## References\n\n- [NVD - CVE-2026-48526](https://nvd.nist.gov/vuln/detail/CVE-2026-48526)\n- [CVE-2026-48526 Record](https://www.cve.org/CVERecord?id=CVE-2026-48526)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48526) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-04T08:21:13.000000Z"} https://vulnerability.circl.lu/sighting/f37007a3-5fbd-471b-9966-f4bba1f6fcf4/export Thu, 04 Jun 2026 08:21:13 +0000 https://vulnerability.circl.lu/sighting/5591fa28-478d-4f1a-a859-8aafd95196d5/export {"uuid": "5591fa28-478d-4f1a-a859-8aafd95196d5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48524", "type": "seen", "source": "https://gist.github.com/alon710/1f95260cf4713d452e9aa65f49fefae4", "content": "# CVE-2026-48524: CVE-2026-48524: Remote Cache Eviction and Authentication Denial of Service in PyJWT\n\n> **CVSS Score:** 3.7\n> **Published:** 2026-06-15\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48524\n\n## Summary\nA logic flaw in PyJWT's PyJWKClient class allows remote unauthenticated attackers to trigger a complete authentication outage. By transmitting a volume of JWTs containing randomized, non-existent Key ID (kid) values, attackers force synchronous outbound JWKS resolution queries. When these queries fail or time out, a defect in the error cleanup code overwrites the local cache of valid signing keys with None, causing a denial of service.\n\n## TL;DR\nUnauthenticated attackers can send JWTs with randomized KIDs to force connection errors on the target's upstream JWKS endpoint. A flaw in the error cleanup sequence then writes None to the cache, evicting all legitimate signing keys and preventing legitimate users from authenticating.\n\n## Technical Details\n\n- **CWE ID**: CWE-460\n- **Attack Vector**: Network\n- **CVSS v3.1**: 3.7\n- **EPSS Score**: 0.00205\n- **Impact**: Denial of Service (DoS)\n- **Exploit Status**: none\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Applications utilizing the pyjwt Python package prior to version 2.13.0 with PyJWKClient enabled for dynamic key retrieval.\n- **pyjwt**: < 2.13.0 (Fixed in: `2.13.0`)\n\n## Mitigation\n\n- Upgrade PyJWT to version 2.13.0 or higher\n- Implement rate limiting at the API Gateway or WAF level to throttle incoming requests with unique, unverified JWT headers\n- Validate the format and structure of the 'kid' header before initiating client database or remote lookup actions\n- Apply strict outbound connection limits and low timeouts on requests to dynamic JWKS endpoints\n\n**Remediation Steps:**\n1. Identify all deployment environments running Python-based JWT authentication layers.\n2. Check the installed PyJWT version using 'pip show pyjwt'.\n3. Upgrade the package to a safe version: 'pip install --upgrade \"pyjwt>=2.13.0\"'.\n4. Restart the application server instances to reload the newly patched dependency into memory.\n5. Set up application telemetry to alert on spikes of 'PyJWKClientConnectionError' or unhandled connection timeouts.\n\n## References\n\n- [GitHub Security Advisory GHSA-fhv5-28vv-h8m8](https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8)\n- [Official CVE Record CVE-2026-48524](https://www.cve.org/CVERecord?id=CVE-2026-48524)\n- [PyJWT Commit Fix 95791b1759b8aa4f2203575d344d5c78564cdc81](https://github.com/jpadilla/pyjwt/commit/95791b1759b8aa4f2203575d344d5c78564cdc81)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48524) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-15T17:41:21.000000Z"} {"uuid": "5591fa28-478d-4f1a-a859-8aafd95196d5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48524", "type": "seen", "source": "https://gist.github.com/alon710/1f95260cf4713d452e9aa65f49fefae4", "content": "# CVE-2026-48524: CVE-2026-48524: Remote Cache Eviction and Authentication Denial of Service in PyJWT\n\n> **CVSS Score:** 3.7\n> **Published:** 2026-06-15\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48524\n\n## Summary\nA logic flaw in PyJWT's PyJWKClient class allows remote unauthenticated attackers to trigger a complete authentication outage. By transmitting a volume of JWTs containing randomized, non-existent Key ID (kid) values, attackers force synchronous outbound JWKS resolution queries. When these queries fail or time out, a defect in the error cleanup code overwrites the local cache of valid signing keys with None, causing a denial of service.\n\n## TL;DR\nUnauthenticated attackers can send JWTs with randomized KIDs to force connection errors on the target's upstream JWKS endpoint. A flaw in the error cleanup sequence then writes None to the cache, evicting all legitimate signing keys and preventing legitimate users from authenticating.\n\n## Technical Details\n\n- **CWE ID**: CWE-460\n- **Attack Vector**: Network\n- **CVSS v3.1**: 3.7\n- **EPSS Score**: 0.00205\n- **Impact**: Denial of Service (DoS)\n- **Exploit Status**: none\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Applications utilizing the pyjwt Python package prior to version 2.13.0 with PyJWKClient enabled for dynamic key retrieval.\n- **pyjwt**: < 2.13.0 (Fixed in: `2.13.0`)\n\n## Mitigation\n\n- Upgrade PyJWT to version 2.13.0 or higher\n- Implement rate limiting at the API Gateway or WAF level to throttle incoming requests with unique, unverified JWT headers\n- Validate the format and structure of the 'kid' header before initiating client database or remote lookup actions\n- Apply strict outbound connection limits and low timeouts on requests to dynamic JWKS endpoints\n\n**Remediation Steps:**\n1. Identify all deployment environments running Python-based JWT authentication layers.\n2. Check the installed PyJWT version using 'pip show pyjwt'.\n3. Upgrade the package to a safe version: 'pip install --upgrade \"pyjwt>=2.13.0\"'.\n4. Restart the application server instances to reload the newly patched dependency into memory.\n5. Set up application telemetry to alert on spikes of 'PyJWKClientConnectionError' or unhandled connection timeouts.\n\n## References\n\n- [GitHub Security Advisory GHSA-fhv5-28vv-h8m8](https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8)\n- [Official CVE Record CVE-2026-48524](https://www.cve.org/CVERecord?id=CVE-2026-48524)\n- [PyJWT Commit Fix 95791b1759b8aa4f2203575d344d5c78564cdc81](https://github.com/jpadilla/pyjwt/commit/95791b1759b8aa4f2203575d344d5c78564cdc81)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48524) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-15T17:41:21.000000Z"} https://vulnerability.circl.lu/sighting/5591fa28-478d-4f1a-a859-8aafd95196d5/export Mon, 15 Jun 2026 17:41:21 +0000 https://vulnerability.circl.lu/sighting/452c6903-5b4a-4174-95d6-a802c95ef29e/export {"uuid": "452c6903-5b4a-4174-95d6-a802c95ef29e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-48525", "type": "seen", "source": "https://gist.github.com/alon710/65e78fc78054322fc9a9e7b7f341ade1", "content": "# CVE-2026-48525: CVE-2026-48525: Uncontrolled Resource Consumption in PyJWT Detached JWS Verification\n\n> **CVSS Score:** 5.3\n> **Published:** 2026-06-15\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48525\n\n## Summary\nPyJWT versions 2.8.0 through 2.12.1 are vulnerable to an unauthenticated Denial of Service (DoS) attack. When verifying detached JSON Web Signatures (JWS) using the unencoded-payload option (RFC 7797, b64=false), the library eagerly decodes the payload segment before verifying the header configuration or the cryptographic signature. This behavior enables a remote, unauthenticated attacker to inject an arbitrarily large payload segment, triggering excessive CPU and memory resource consumption prior to signature validation.\n\n## TL;DR\nPyJWT eagerly decodes JWS payload segments before validating the b64=false header configuration, enabling an unauthenticated remote Denial of Service attack via large, dummy payload strings.\n\n## Technical Details\n\n- **CWE ID**: CWE-400\n- **Attack Vector**: Network (AV:N)\n- **CVSS Score**: 5.3 (Medium)\n- **Exploit Status**: PoC Analysis / None\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- PyJWT library installations\n- **PyJWT**: >= 2.8.0, <= 2.12.1 (Fixed in: `2.13.0`)\n\n## Mitigation\n\n- Upgrade to PyJWT version 2.13.0 or higher.\n- Limit the maximum size of incoming HTTP request headers at the web server or reverse proxy level.\n- Implement Web Application Firewall (WAF) rules to inspect and drop JWS payloads exceeding normal length thresholds.\n\n**Remediation Steps:**\n1. Identify all Python environments and requirements files referencing PyJWT.\n2. Update the dependency specification to require 'pyjwt>=2.13.0'.\n3. Rebuild container images and run dependency security scanning tools to verify the update.\n4. Deploy the updated application to production environments.\n\n## References\n\n- [GitHub Security Advisory](https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39)\n- [GitHub Fix Commit](https://github.com/jpadilla/pyjwt/commit/95791b1759b8aa4f2203575d344d5c78564cdc81)\n- [CVE Record](https://www.cve.org/CVERecord?id=CVE-2026-48525)\n- [Wiz Vulnerability Database entry](https://www.wiz.io/vulnerability-database/cve/cve-2026-48525)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48525) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-15T19:41:20.000000Z"} {"uuid": "452c6903-5b4a-4174-95d6-a802c95ef29e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-48525", "type": "seen", "source": "https://gist.github.com/alon710/65e78fc78054322fc9a9e7b7f341ade1", "content": "# CVE-2026-48525: CVE-2026-48525: Uncontrolled Resource Consumption in PyJWT Detached JWS Verification\n\n> **CVSS Score:** 5.3\n> **Published:** 2026-06-15\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48525\n\n## Summary\nPyJWT versions 2.8.0 through 2.12.1 are vulnerable to an unauthenticated Denial of Service (DoS) attack. When verifying detached JSON Web Signatures (JWS) using the unencoded-payload option (RFC 7797, b64=false), the library eagerly decodes the payload segment before verifying the header configuration or the cryptographic signature. This behavior enables a remote, unauthenticated attacker to inject an arbitrarily large payload segment, triggering excessive CPU and memory resource consumption prior to signature validation.\n\n## TL;DR\nPyJWT eagerly decodes JWS payload segments before validating the b64=false header configuration, enabling an unauthenticated remote Denial of Service attack via large, dummy payload strings.\n\n## Technical Details\n\n- **CWE ID**: CWE-400\n- **Attack Vector**: Network (AV:N)\n- **CVSS Score**: 5.3 (Medium)\n- **Exploit Status**: PoC Analysis / None\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- PyJWT library installations\n- **PyJWT**: >= 2.8.0, <= 2.12.1 (Fixed in: `2.13.0`)\n\n## Mitigation\n\n- Upgrade to PyJWT version 2.13.0 or higher.\n- Limit the maximum size of incoming HTTP request headers at the web server or reverse proxy level.\n- Implement Web Application Firewall (WAF) rules to inspect and drop JWS payloads exceeding normal length thresholds.\n\n**Remediation Steps:**\n1. Identify all Python environments and requirements files referencing PyJWT.\n2. Update the dependency specification to require 'pyjwt>=2.13.0'.\n3. Rebuild container images and run dependency security scanning tools to verify the update.\n4. Deploy the updated application to production environments.\n\n## References\n\n- [GitHub Security Advisory](https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39)\n- [GitHub Fix Commit](https://github.com/jpadilla/pyjwt/commit/95791b1759b8aa4f2203575d344d5c78564cdc81)\n- [CVE Record](https://www.cve.org/CVERecord?id=CVE-2026-48525)\n- [Wiz Vulnerability Database entry](https://www.wiz.io/vulnerability-database/cve/cve-2026-48525)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48525) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-15T19:41:20.000000Z"} https://vulnerability.circl.lu/sighting/452c6903-5b4a-4174-95d6-a802c95ef29e/export Mon, 15 Jun 2026 19:41:20 +0000 https://vulnerability.circl.lu/sighting/98827e7e-05b8-4739-8cf3-5d2b458033ec/export {"uuid": "98827e7e-05b8-4739-8cf3-5d2b458033ec", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-48525", "type": "seen", "source": "https://gist.github.com/alon710/9d5d358571e9a39984e3ba8848038e82", "content": "# CVE-2026-48525: CVE-2026-48525: Uncontrolled Resource Consumption in PyJWT Detached JWS Verification\n\n> **CVSS Score:** 5.3\n> **Published:** 2026-06-15\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48525\n\n## Summary\nPyJWT versions 2.8.0 through 2.12.1 are vulnerable to an unauthenticated Denial of Service (DoS) attack. When verifying detached JSON Web Signatures (JWS) using the unencoded-payload option (RFC 7797, b64=false), the library eagerly decodes the payload segment before verifying the header configuration or the cryptographic signature. This behavior enables a remote, unauthenticated attacker to inject an arbitrarily large payload segment, triggering excessive CPU and memory resource consumption prior to signature validation.\n\n## TL;DR\nPyJWT eagerly decodes JWS payload segments before validating the b64=false header configuration, enabling an unauthenticated remote Denial of Service attack via large, dummy payload strings.\n\n## Technical Details\n\n- **CWE ID**: CWE-400\n- **Attack Vector**: Network (AV:N)\n- **CVSS Score**: 5.3 (Medium)\n- **Exploit Status**: PoC Analysis / None\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- PyJWT library installations\n- **PyJWT**: >= 2.8.0, <= 2.12.1 (Fixed in: `2.13.0`)\n\n## Mitigation\n\n- Upgrade to PyJWT version 2.13.0 or higher.\n- Limit the maximum size of incoming HTTP request headers at the web server or reverse proxy level.\n- Implement Web Application Firewall (WAF) rules to inspect and drop JWS payloads exceeding normal length thresholds.\n\n**Remediation Steps:**\n1. Identify all Python environments and requirements files referencing PyJWT.\n2. Update the dependency specification to require 'pyjwt>=2.13.0'.\n3. Rebuild container images and run dependency security scanning tools to verify the update.\n4. Deploy the updated application to production environments.\n\n## References\n\n- [GitHub Security Advisory](https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39)\n- [GitHub Fix Commit](https://github.com/jpadilla/pyjwt/commit/95791b1759b8aa4f2203575d344d5c78564cdc81)\n- [CVE Record](https://www.cve.org/CVERecord?id=CVE-2026-48525)\n- [Wiz Vulnerability Database entry](https://www.wiz.io/vulnerability-database/cve/cve-2026-48525)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48525) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-15T19:51:29.000000Z"} {"uuid": "98827e7e-05b8-4739-8cf3-5d2b458033ec", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-48525", "type": "seen", "source": "https://gist.github.com/alon710/9d5d358571e9a39984e3ba8848038e82", "content": "# CVE-2026-48525: CVE-2026-48525: Uncontrolled Resource Consumption in PyJWT Detached JWS Verification\n\n> **CVSS Score:** 5.3\n> **Published:** 2026-06-15\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48525\n\n## Summary\nPyJWT versions 2.8.0 through 2.12.1 are vulnerable to an unauthenticated Denial of Service (DoS) attack. When verifying detached JSON Web Signatures (JWS) using the unencoded-payload option (RFC 7797, b64=false), the library eagerly decodes the payload segment before verifying the header configuration or the cryptographic signature. This behavior enables a remote, unauthenticated attacker to inject an arbitrarily large payload segment, triggering excessive CPU and memory resource consumption prior to signature validation.\n\n## TL;DR\nPyJWT eagerly decodes JWS payload segments before validating the b64=false header configuration, enabling an unauthenticated remote Denial of Service attack via large, dummy payload strings.\n\n## Technical Details\n\n- **CWE ID**: CWE-400\n- **Attack Vector**: Network (AV:N)\n- **CVSS Score**: 5.3 (Medium)\n- **Exploit Status**: PoC Analysis / None\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- PyJWT library installations\n- **PyJWT**: >= 2.8.0, <= 2.12.1 (Fixed in: `2.13.0`)\n\n## Mitigation\n\n- Upgrade to PyJWT version 2.13.0 or higher.\n- Limit the maximum size of incoming HTTP request headers at the web server or reverse proxy level.\n- Implement Web Application Firewall (WAF) rules to inspect and drop JWS payloads exceeding normal length thresholds.\n\n**Remediation Steps:**\n1. Identify all Python environments and requirements files referencing PyJWT.\n2. Update the dependency specification to require 'pyjwt>=2.13.0'.\n3. Rebuild container images and run dependency security scanning tools to verify the update.\n4. Deploy the updated application to production environments.\n\n## References\n\n- [GitHub Security Advisory](https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39)\n- [GitHub Fix Commit](https://github.com/jpadilla/pyjwt/commit/95791b1759b8aa4f2203575d344d5c78564cdc81)\n- [CVE Record](https://www.cve.org/CVERecord?id=CVE-2026-48525)\n- [Wiz Vulnerability Database entry](https://www.wiz.io/vulnerability-database/cve/cve-2026-48525)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48525) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-15T19:51:29.000000Z"} https://vulnerability.circl.lu/sighting/98827e7e-05b8-4739-8cf3-5d2b458033ec/export Mon, 15 Jun 2026 19:51:29 +0000 https://vulnerability.circl.lu/sighting/a2ea3a98-567c-415e-9c9e-4aaf731fe340/export {"uuid": "a2ea3a98-567c-415e-9c9e-4aaf731fe340", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-48525", "type": "seen", "source": "https://gist.github.com/alon710/5176e235b1faf51aeac2691145abc27f", "content": "# CVE-2026-48525: CVE-2026-48525: Uncontrolled Resource Consumption in PyJWT Detached JWS Verification\n\n> **CVSS Score:** 5.3\n> **Published:** 2026-06-15\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48525\n\n## Summary\nPyJWT versions 2.8.0 through 2.12.1 are vulnerable to an unauthenticated Denial of Service (DoS) attack. When verifying detached JSON Web Signatures (JWS) using the unencoded-payload option (RFC 7797, b64=false), the library eagerly decodes the payload segment before verifying the header configuration or the cryptographic signature. This behavior enables a remote, unauthenticated attacker to inject an arbitrarily large payload segment, triggering excessive CPU and memory resource consumption prior to signature validation.\n\n## TL;DR\nPyJWT eagerly decodes JWS payload segments before validating the b64=false header configuration, enabling an unauthenticated remote Denial of Service attack via large, dummy payload strings.\n\n## Technical Details\n\n- **CWE ID**: CWE-400\n- **Attack Vector**: Network (AV:N)\n- **CVSS Score**: 5.3 (Medium)\n- **Exploit Status**: PoC Analysis / None\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- PyJWT library installations\n- **PyJWT**: >= 2.8.0, <= 2.12.1 (Fixed in: `2.13.0`)\n\n## Mitigation\n\n- Upgrade to PyJWT version 2.13.0 or higher.\n- Limit the maximum size of incoming HTTP request headers at the web server or reverse proxy level.\n- Implement Web Application Firewall (WAF) rules to inspect and drop JWS payloads exceeding normal length thresholds.\n\n**Remediation Steps:**\n1. Identify all Python environments and requirements files referencing PyJWT.\n2. Update the dependency specification to require 'pyjwt>=2.13.0'.\n3. Rebuild container images and run dependency security scanning tools to verify the update.\n4. Deploy the updated application to production environments.\n\n## References\n\n- [GitHub Security Advisory](https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39)\n- [GitHub Fix Commit](https://github.com/jpadilla/pyjwt/commit/95791b1759b8aa4f2203575d344d5c78564cdc81)\n- [CVE Record](https://www.cve.org/CVERecord?id=CVE-2026-48525)\n- [Wiz Vulnerability Database entry](https://www.wiz.io/vulnerability-database/cve/cve-2026-48525)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48525) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-15T20:01:21.000000Z"} {"uuid": "a2ea3a98-567c-415e-9c9e-4aaf731fe340", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-48525", "type": "seen", "source": "https://gist.github.com/alon710/5176e235b1faf51aeac2691145abc27f", "content": "# CVE-2026-48525: CVE-2026-48525: Uncontrolled Resource Consumption in PyJWT Detached JWS Verification\n\n> **CVSS Score:** 5.3\n> **Published:** 2026-06-15\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48525\n\n## Summary\nPyJWT versions 2.8.0 through 2.12.1 are vulnerable to an unauthenticated Denial of Service (DoS) attack. When verifying detached JSON Web Signatures (JWS) using the unencoded-payload option (RFC 7797, b64=false), the library eagerly decodes the payload segment before verifying the header configuration or the cryptographic signature. This behavior enables a remote, unauthenticated attacker to inject an arbitrarily large payload segment, triggering excessive CPU and memory resource consumption prior to signature validation.\n\n## TL;DR\nPyJWT eagerly decodes JWS payload segments before validating the b64=false header configuration, enabling an unauthenticated remote Denial of Service attack via large, dummy payload strings.\n\n## Technical Details\n\n- **CWE ID**: CWE-400\n- **Attack Vector**: Network (AV:N)\n- **CVSS Score**: 5.3 (Medium)\n- **Exploit Status**: PoC Analysis / None\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- PyJWT library installations\n- **PyJWT**: >= 2.8.0, <= 2.12.1 (Fixed in: `2.13.0`)\n\n## Mitigation\n\n- Upgrade to PyJWT version 2.13.0 or higher.\n- Limit the maximum size of incoming HTTP request headers at the web server or reverse proxy level.\n- Implement Web Application Firewall (WAF) rules to inspect and drop JWS payloads exceeding normal length thresholds.\n\n**Remediation Steps:**\n1. Identify all Python environments and requirements files referencing PyJWT.\n2. Update the dependency specification to require 'pyjwt>=2.13.0'.\n3. Rebuild container images and run dependency security scanning tools to verify the update.\n4. Deploy the updated application to production environments.\n\n## References\n\n- [GitHub Security Advisory](https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39)\n- [GitHub Fix Commit](https://github.com/jpadilla/pyjwt/commit/95791b1759b8aa4f2203575d344d5c78564cdc81)\n- [CVE Record](https://www.cve.org/CVERecord?id=CVE-2026-48525)\n- [Wiz Vulnerability Database entry](https://www.wiz.io/vulnerability-database/cve/cve-2026-48525)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48525) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-15T20:01:21.000000Z"} https://vulnerability.circl.lu/sighting/a2ea3a98-567c-415e-9c9e-4aaf731fe340/export Mon, 15 Jun 2026 20:01:21 +0000 https://vulnerability.circl.lu/sighting/2bbef858-e386-4134-bc11-91b87c1e74e8/export {"uuid": "2bbef858-e386-4134-bc11-91b87c1e74e8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48524", "type": "seen", "source": "https://gist.github.com/alon710/71d181c729157a76bf49cfdfcfefeae5", "content": "# CVE-2026-48524: CVE-2026-48524: Remote Cache Eviction and Authentication Denial of Service in PyJWT\n\n> **CVSS Score:** 3.7\n> **Published:** 2026-06-15\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48524\n\n## Summary\nA logic flaw in PyJWT's PyJWKClient class allows remote unauthenticated attackers to trigger a complete authentication outage. By transmitting a volume of JWTs containing randomized, non-existent Key ID (kid) values, attackers force synchronous outbound JWKS resolution queries. When these queries fail or time out, a defect in the error cleanup code overwrites the local cache of valid signing keys with None, causing a denial of service.\n\n## TL;DR\nUnauthenticated attackers can send JWTs with randomized KIDs to force connection errors on the target's upstream JWKS endpoint. A flaw in the error cleanup sequence then writes None to the cache, evicting all legitimate signing keys and preventing legitimate users from authenticating.\n\n## Technical Details\n\n- **CWE ID**: CWE-460\n- **Attack Vector**: Network\n- **CVSS v3.1**: 3.7\n- **EPSS Score**: 0.00205\n- **Impact**: Denial of Service (DoS)\n- **Exploit Status**: none\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Applications utilizing the pyjwt Python package prior to version 2.13.0 with PyJWKClient enabled for dynamic key retrieval.\n- **pyjwt**: < 2.13.0 (Fixed in: `2.13.0`)\n\n## Mitigation\n\n- Upgrade PyJWT to version 2.13.0 or higher\n- Implement rate limiting at the API Gateway or WAF level to throttle incoming requests with unique, unverified JWT headers\n- Validate the format and structure of the 'kid' header before initiating client database or remote lookup actions\n- Apply strict outbound connection limits and low timeouts on requests to dynamic JWKS endpoints\n\n**Remediation Steps:**\n1. Identify all deployment environments running Python-based JWT authentication layers.\n2. Check the installed PyJWT version using 'pip show pyjwt'.\n3. Upgrade the package to a safe version: 'pip install --upgrade \"pyjwt>=2.13.0\"'.\n4. Restart the application server instances to reload the newly patched dependency into memory.\n5. Set up application telemetry to alert on spikes of 'PyJWKClientConnectionError' or unhandled connection timeouts.\n\n## References\n\n- [GitHub Security Advisory GHSA-fhv5-28vv-h8m8](https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8)\n- [Official CVE Record CVE-2026-48524](https://www.cve.org/CVERecord?id=CVE-2026-48524)\n- [PyJWT Commit Fix 95791b1759b8aa4f2203575d344d5c78564cdc81](https://github.com/jpadilla/pyjwt/commit/95791b1759b8aa4f2203575d344d5c78564cdc81)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48524) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-15T23:21:16.000000Z"} {"uuid": "2bbef858-e386-4134-bc11-91b87c1e74e8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48524", "type": "seen", "source": "https://gist.github.com/alon710/71d181c729157a76bf49cfdfcfefeae5", "content": "# CVE-2026-48524: CVE-2026-48524: Remote Cache Eviction and Authentication Denial of Service in PyJWT\n\n> **CVSS Score:** 3.7\n> **Published:** 2026-06-15\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48524\n\n## Summary\nA logic flaw in PyJWT's PyJWKClient class allows remote unauthenticated attackers to trigger a complete authentication outage. By transmitting a volume of JWTs containing randomized, non-existent Key ID (kid) values, attackers force synchronous outbound JWKS resolution queries. When these queries fail or time out, a defect in the error cleanup code overwrites the local cache of valid signing keys with None, causing a denial of service.\n\n## TL;DR\nUnauthenticated attackers can send JWTs with randomized KIDs to force connection errors on the target's upstream JWKS endpoint. A flaw in the error cleanup sequence then writes None to the cache, evicting all legitimate signing keys and preventing legitimate users from authenticating.\n\n## Technical Details\n\n- **CWE ID**: CWE-460\n- **Attack Vector**: Network\n- **CVSS v3.1**: 3.7\n- **EPSS Score**: 0.00205\n- **Impact**: Denial of Service (DoS)\n- **Exploit Status**: none\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Applications utilizing the pyjwt Python package prior to version 2.13.0 with PyJWKClient enabled for dynamic key retrieval.\n- **pyjwt**: < 2.13.0 (Fixed in: `2.13.0`)\n\n## Mitigation\n\n- Upgrade PyJWT to version 2.13.0 or higher\n- Implement rate limiting at the API Gateway or WAF level to throttle incoming requests with unique, unverified JWT headers\n- Validate the format and structure of the 'kid' header before initiating client database or remote lookup actions\n- Apply strict outbound connection limits and low timeouts on requests to dynamic JWKS endpoints\n\n**Remediation Steps:**\n1. Identify all deployment environments running Python-based JWT authentication layers.\n2. Check the installed PyJWT version using 'pip show pyjwt'.\n3. Upgrade the package to a safe version: 'pip install --upgrade \"pyjwt>=2.13.0\"'.\n4. Restart the application server instances to reload the newly patched dependency into memory.\n5. Set up application telemetry to alert on spikes of 'PyJWKClientConnectionError' or unhandled connection timeouts.\n\n## References\n\n- [GitHub Security Advisory GHSA-fhv5-28vv-h8m8](https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8)\n- [Official CVE Record CVE-2026-48524](https://www.cve.org/CVERecord?id=CVE-2026-48524)\n- [PyJWT Commit Fix 95791b1759b8aa4f2203575d344d5c78564cdc81](https://github.com/jpadilla/pyjwt/commit/95791b1759b8aa4f2203575d344d5c78564cdc81)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48524) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-15T23:21:16.000000Z"} https://vulnerability.circl.lu/sighting/2bbef858-e386-4134-bc11-91b87c1e74e8/export Mon, 15 Jun 2026 23:21:16 +0000