https://vulnerability.circl.lu Contains only the most 10 recent sightings. http://www.rssboard.org/rss-specification python-feedgen en Thu, 25 Jun 2026 06:14:10 +0000 https://vulnerability.circl.lu/sighting/d3b79a3a-ff79-4e02-b5ee-2f3fc57b5e84/export {"uuid": "d3b79a3a-ff79-4e02-b5ee-2f3fc57b5e84", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-48525", "type": "published-proof-of-concept", "source": "https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39", "content": "", "creation_timestamp": "2026-05-21T20:36:11.000000Z"} {"uuid": "d3b79a3a-ff79-4e02-b5ee-2f3fc57b5e84", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-48525", "type": "published-proof-of-concept", "source": "https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39", "content": "", "creation_timestamp": "2026-05-21T20:36:11.000000Z"} https://vulnerability.circl.lu/sighting/d3b79a3a-ff79-4e02-b5ee-2f3fc57b5e84/export Thu, 21 May 2026 20:36:11 +0000 https://vulnerability.circl.lu/sighting/6120e7f4-67dc-4baa-9b25-dde308a13b94/export {"uuid": "6120e7f4-67dc-4baa-9b25-dde308a13b94", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48525", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mmwleu26lh2k", "content": "CVE-2026-48525 - PyJWT: Unauthenticated DoS via unbounded Base64URL decoding of unused payload segment in b64=false detached JWS\nCVE ID : CVE-2026-48525\n \n Published : May 28, 2026, 4:16 p.m. | 15\u00a0minutes ago\n \n Description : PyJWT is a JSON Web Token implementation in Python....", "creation_timestamp": "2026-05-28T17:48:23.732898Z"} {"uuid": "6120e7f4-67dc-4baa-9b25-dde308a13b94", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48525", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mmwleu26lh2k", "content": "CVE-2026-48525 - PyJWT: Unauthenticated DoS via unbounded Base64URL decoding of unused payload segment in b64=false detached JWS\nCVE ID : CVE-2026-48525\n \n Published : May 28, 2026, 4:16 p.m. | 15\u00a0minutes ago\n \n Description : PyJWT is a JSON Web Token implementation in Python....", "creation_timestamp": "2026-05-28T17:48:23.732898Z"} https://vulnerability.circl.lu/sighting/6120e7f4-67dc-4baa-9b25-dde308a13b94/export Thu, 28 May 2026 17:48:23 +0000 https://vulnerability.circl.lu/sighting/452c6903-5b4a-4174-95d6-a802c95ef29e/export {"uuid": "452c6903-5b4a-4174-95d6-a802c95ef29e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-48525", "type": "seen", "source": "https://gist.github.com/alon710/65e78fc78054322fc9a9e7b7f341ade1", "content": "# CVE-2026-48525: CVE-2026-48525: Uncontrolled Resource Consumption in PyJWT Detached JWS Verification\n\n> **CVSS Score:** 5.3\n> **Published:** 2026-06-15\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48525\n\n## Summary\nPyJWT versions 2.8.0 through 2.12.1 are vulnerable to an unauthenticated Denial of Service (DoS) attack. When verifying detached JSON Web Signatures (JWS) using the unencoded-payload option (RFC 7797, b64=false), the library eagerly decodes the payload segment before verifying the header configuration or the cryptographic signature. This behavior enables a remote, unauthenticated attacker to inject an arbitrarily large payload segment, triggering excessive CPU and memory resource consumption prior to signature validation.\n\n## TL;DR\nPyJWT eagerly decodes JWS payload segments before validating the b64=false header configuration, enabling an unauthenticated remote Denial of Service attack via large, dummy payload strings.\n\n## Technical Details\n\n- **CWE ID**: CWE-400\n- **Attack Vector**: Network (AV:N)\n- **CVSS Score**: 5.3 (Medium)\n- **Exploit Status**: PoC Analysis / None\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- PyJWT library installations\n- **PyJWT**: >= 2.8.0, <= 2.12.1 (Fixed in: `2.13.0`)\n\n## Mitigation\n\n- Upgrade to PyJWT version 2.13.0 or higher.\n- Limit the maximum size of incoming HTTP request headers at the web server or reverse proxy level.\n- Implement Web Application Firewall (WAF) rules to inspect and drop JWS payloads exceeding normal length thresholds.\n\n**Remediation Steps:**\n1. Identify all Python environments and requirements files referencing PyJWT.\n2. Update the dependency specification to require 'pyjwt>=2.13.0'.\n3. Rebuild container images and run dependency security scanning tools to verify the update.\n4. Deploy the updated application to production environments.\n\n## References\n\n- [GitHub Security Advisory](https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39)\n- [GitHub Fix Commit](https://github.com/jpadilla/pyjwt/commit/95791b1759b8aa4f2203575d344d5c78564cdc81)\n- [CVE Record](https://www.cve.org/CVERecord?id=CVE-2026-48525)\n- [Wiz Vulnerability Database entry](https://www.wiz.io/vulnerability-database/cve/cve-2026-48525)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48525) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-15T19:41:20.000000Z"} {"uuid": "452c6903-5b4a-4174-95d6-a802c95ef29e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-48525", "type": "seen", "source": "https://gist.github.com/alon710/65e78fc78054322fc9a9e7b7f341ade1", "content": "# CVE-2026-48525: CVE-2026-48525: Uncontrolled Resource Consumption in PyJWT Detached JWS Verification\n\n> **CVSS Score:** 5.3\n> **Published:** 2026-06-15\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48525\n\n## Summary\nPyJWT versions 2.8.0 through 2.12.1 are vulnerable to an unauthenticated Denial of Service (DoS) attack. When verifying detached JSON Web Signatures (JWS) using the unencoded-payload option (RFC 7797, b64=false), the library eagerly decodes the payload segment before verifying the header configuration or the cryptographic signature. This behavior enables a remote, unauthenticated attacker to inject an arbitrarily large payload segment, triggering excessive CPU and memory resource consumption prior to signature validation.\n\n## TL;DR\nPyJWT eagerly decodes JWS payload segments before validating the b64=false header configuration, enabling an unauthenticated remote Denial of Service attack via large, dummy payload strings.\n\n## Technical Details\n\n- **CWE ID**: CWE-400\n- **Attack Vector**: Network (AV:N)\n- **CVSS Score**: 5.3 (Medium)\n- **Exploit Status**: PoC Analysis / None\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- PyJWT library installations\n- **PyJWT**: >= 2.8.0, <= 2.12.1 (Fixed in: `2.13.0`)\n\n## Mitigation\n\n- Upgrade to PyJWT version 2.13.0 or higher.\n- Limit the maximum size of incoming HTTP request headers at the web server or reverse proxy level.\n- Implement Web Application Firewall (WAF) rules to inspect and drop JWS payloads exceeding normal length thresholds.\n\n**Remediation Steps:**\n1. Identify all Python environments and requirements files referencing PyJWT.\n2. Update the dependency specification to require 'pyjwt>=2.13.0'.\n3. Rebuild container images and run dependency security scanning tools to verify the update.\n4. Deploy the updated application to production environments.\n\n## References\n\n- [GitHub Security Advisory](https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39)\n- [GitHub Fix Commit](https://github.com/jpadilla/pyjwt/commit/95791b1759b8aa4f2203575d344d5c78564cdc81)\n- [CVE Record](https://www.cve.org/CVERecord?id=CVE-2026-48525)\n- [Wiz Vulnerability Database entry](https://www.wiz.io/vulnerability-database/cve/cve-2026-48525)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48525) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-15T19:41:20.000000Z"} https://vulnerability.circl.lu/sighting/452c6903-5b4a-4174-95d6-a802c95ef29e/export Mon, 15 Jun 2026 19:41:20 +0000 https://vulnerability.circl.lu/sighting/98827e7e-05b8-4739-8cf3-5d2b458033ec/export {"uuid": "98827e7e-05b8-4739-8cf3-5d2b458033ec", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-48525", "type": "seen", "source": "https://gist.github.com/alon710/9d5d358571e9a39984e3ba8848038e82", "content": "# CVE-2026-48525: CVE-2026-48525: Uncontrolled Resource Consumption in PyJWT Detached JWS Verification\n\n> **CVSS Score:** 5.3\n> **Published:** 2026-06-15\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48525\n\n## Summary\nPyJWT versions 2.8.0 through 2.12.1 are vulnerable to an unauthenticated Denial of Service (DoS) attack. When verifying detached JSON Web Signatures (JWS) using the unencoded-payload option (RFC 7797, b64=false), the library eagerly decodes the payload segment before verifying the header configuration or the cryptographic signature. This behavior enables a remote, unauthenticated attacker to inject an arbitrarily large payload segment, triggering excessive CPU and memory resource consumption prior to signature validation.\n\n## TL;DR\nPyJWT eagerly decodes JWS payload segments before validating the b64=false header configuration, enabling an unauthenticated remote Denial of Service attack via large, dummy payload strings.\n\n## Technical Details\n\n- **CWE ID**: CWE-400\n- **Attack Vector**: Network (AV:N)\n- **CVSS Score**: 5.3 (Medium)\n- **Exploit Status**: PoC Analysis / None\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- PyJWT library installations\n- **PyJWT**: >= 2.8.0, <= 2.12.1 (Fixed in: `2.13.0`)\n\n## Mitigation\n\n- Upgrade to PyJWT version 2.13.0 or higher.\n- Limit the maximum size of incoming HTTP request headers at the web server or reverse proxy level.\n- Implement Web Application Firewall (WAF) rules to inspect and drop JWS payloads exceeding normal length thresholds.\n\n**Remediation Steps:**\n1. Identify all Python environments and requirements files referencing PyJWT.\n2. Update the dependency specification to require 'pyjwt>=2.13.0'.\n3. Rebuild container images and run dependency security scanning tools to verify the update.\n4. Deploy the updated application to production environments.\n\n## References\n\n- [GitHub Security Advisory](https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39)\n- [GitHub Fix Commit](https://github.com/jpadilla/pyjwt/commit/95791b1759b8aa4f2203575d344d5c78564cdc81)\n- [CVE Record](https://www.cve.org/CVERecord?id=CVE-2026-48525)\n- [Wiz Vulnerability Database entry](https://www.wiz.io/vulnerability-database/cve/cve-2026-48525)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48525) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-15T19:51:29.000000Z"} {"uuid": "98827e7e-05b8-4739-8cf3-5d2b458033ec", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-48525", "type": "seen", "source": "https://gist.github.com/alon710/9d5d358571e9a39984e3ba8848038e82", "content": "# CVE-2026-48525: CVE-2026-48525: Uncontrolled Resource Consumption in PyJWT Detached JWS Verification\n\n> **CVSS Score:** 5.3\n> **Published:** 2026-06-15\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48525\n\n## Summary\nPyJWT versions 2.8.0 through 2.12.1 are vulnerable to an unauthenticated Denial of Service (DoS) attack. When verifying detached JSON Web Signatures (JWS) using the unencoded-payload option (RFC 7797, b64=false), the library eagerly decodes the payload segment before verifying the header configuration or the cryptographic signature. This behavior enables a remote, unauthenticated attacker to inject an arbitrarily large payload segment, triggering excessive CPU and memory resource consumption prior to signature validation.\n\n## TL;DR\nPyJWT eagerly decodes JWS payload segments before validating the b64=false header configuration, enabling an unauthenticated remote Denial of Service attack via large, dummy payload strings.\n\n## Technical Details\n\n- **CWE ID**: CWE-400\n- **Attack Vector**: Network (AV:N)\n- **CVSS Score**: 5.3 (Medium)\n- **Exploit Status**: PoC Analysis / None\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- PyJWT library installations\n- **PyJWT**: >= 2.8.0, <= 2.12.1 (Fixed in: `2.13.0`)\n\n## Mitigation\n\n- Upgrade to PyJWT version 2.13.0 or higher.\n- Limit the maximum size of incoming HTTP request headers at the web server or reverse proxy level.\n- Implement Web Application Firewall (WAF) rules to inspect and drop JWS payloads exceeding normal length thresholds.\n\n**Remediation Steps:**\n1. Identify all Python environments and requirements files referencing PyJWT.\n2. Update the dependency specification to require 'pyjwt>=2.13.0'.\n3. Rebuild container images and run dependency security scanning tools to verify the update.\n4. Deploy the updated application to production environments.\n\n## References\n\n- [GitHub Security Advisory](https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39)\n- [GitHub Fix Commit](https://github.com/jpadilla/pyjwt/commit/95791b1759b8aa4f2203575d344d5c78564cdc81)\n- [CVE Record](https://www.cve.org/CVERecord?id=CVE-2026-48525)\n- [Wiz Vulnerability Database entry](https://www.wiz.io/vulnerability-database/cve/cve-2026-48525)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48525) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-15T19:51:29.000000Z"} https://vulnerability.circl.lu/sighting/98827e7e-05b8-4739-8cf3-5d2b458033ec/export Mon, 15 Jun 2026 19:51:29 +0000 https://vulnerability.circl.lu/sighting/a2ea3a98-567c-415e-9c9e-4aaf731fe340/export {"uuid": "a2ea3a98-567c-415e-9c9e-4aaf731fe340", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-48525", "type": "seen", "source": "https://gist.github.com/alon710/5176e235b1faf51aeac2691145abc27f", "content": "# CVE-2026-48525: CVE-2026-48525: Uncontrolled Resource Consumption in PyJWT Detached JWS Verification\n\n> **CVSS Score:** 5.3\n> **Published:** 2026-06-15\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48525\n\n## Summary\nPyJWT versions 2.8.0 through 2.12.1 are vulnerable to an unauthenticated Denial of Service (DoS) attack. When verifying detached JSON Web Signatures (JWS) using the unencoded-payload option (RFC 7797, b64=false), the library eagerly decodes the payload segment before verifying the header configuration or the cryptographic signature. This behavior enables a remote, unauthenticated attacker to inject an arbitrarily large payload segment, triggering excessive CPU and memory resource consumption prior to signature validation.\n\n## TL;DR\nPyJWT eagerly decodes JWS payload segments before validating the b64=false header configuration, enabling an unauthenticated remote Denial of Service attack via large, dummy payload strings.\n\n## Technical Details\n\n- **CWE ID**: CWE-400\n- **Attack Vector**: Network (AV:N)\n- **CVSS Score**: 5.3 (Medium)\n- **Exploit Status**: PoC Analysis / None\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- PyJWT library installations\n- **PyJWT**: >= 2.8.0, <= 2.12.1 (Fixed in: `2.13.0`)\n\n## Mitigation\n\n- Upgrade to PyJWT version 2.13.0 or higher.\n- Limit the maximum size of incoming HTTP request headers at the web server or reverse proxy level.\n- Implement Web Application Firewall (WAF) rules to inspect and drop JWS payloads exceeding normal length thresholds.\n\n**Remediation Steps:**\n1. Identify all Python environments and requirements files referencing PyJWT.\n2. Update the dependency specification to require 'pyjwt>=2.13.0'.\n3. Rebuild container images and run dependency security scanning tools to verify the update.\n4. Deploy the updated application to production environments.\n\n## References\n\n- [GitHub Security Advisory](https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39)\n- [GitHub Fix Commit](https://github.com/jpadilla/pyjwt/commit/95791b1759b8aa4f2203575d344d5c78564cdc81)\n- [CVE Record](https://www.cve.org/CVERecord?id=CVE-2026-48525)\n- [Wiz Vulnerability Database entry](https://www.wiz.io/vulnerability-database/cve/cve-2026-48525)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48525) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-15T20:01:21.000000Z"} {"uuid": "a2ea3a98-567c-415e-9c9e-4aaf731fe340", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-48525", "type": "seen", "source": "https://gist.github.com/alon710/5176e235b1faf51aeac2691145abc27f", "content": "# CVE-2026-48525: CVE-2026-48525: Uncontrolled Resource Consumption in PyJWT Detached JWS Verification\n\n> **CVSS Score:** 5.3\n> **Published:** 2026-06-15\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48525\n\n## Summary\nPyJWT versions 2.8.0 through 2.12.1 are vulnerable to an unauthenticated Denial of Service (DoS) attack. When verifying detached JSON Web Signatures (JWS) using the unencoded-payload option (RFC 7797, b64=false), the library eagerly decodes the payload segment before verifying the header configuration or the cryptographic signature. This behavior enables a remote, unauthenticated attacker to inject an arbitrarily large payload segment, triggering excessive CPU and memory resource consumption prior to signature validation.\n\n## TL;DR\nPyJWT eagerly decodes JWS payload segments before validating the b64=false header configuration, enabling an unauthenticated remote Denial of Service attack via large, dummy payload strings.\n\n## Technical Details\n\n- **CWE ID**: CWE-400\n- **Attack Vector**: Network (AV:N)\n- **CVSS Score**: 5.3 (Medium)\n- **Exploit Status**: PoC Analysis / None\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- PyJWT library installations\n- **PyJWT**: >= 2.8.0, <= 2.12.1 (Fixed in: `2.13.0`)\n\n## Mitigation\n\n- Upgrade to PyJWT version 2.13.0 or higher.\n- Limit the maximum size of incoming HTTP request headers at the web server or reverse proxy level.\n- Implement Web Application Firewall (WAF) rules to inspect and drop JWS payloads exceeding normal length thresholds.\n\n**Remediation Steps:**\n1. Identify all Python environments and requirements files referencing PyJWT.\n2. Update the dependency specification to require 'pyjwt>=2.13.0'.\n3. Rebuild container images and run dependency security scanning tools to verify the update.\n4. Deploy the updated application to production environments.\n\n## References\n\n- [GitHub Security Advisory](https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39)\n- [GitHub Fix Commit](https://github.com/jpadilla/pyjwt/commit/95791b1759b8aa4f2203575d344d5c78564cdc81)\n- [CVE Record](https://www.cve.org/CVERecord?id=CVE-2026-48525)\n- [Wiz Vulnerability Database entry](https://www.wiz.io/vulnerability-database/cve/cve-2026-48525)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48525) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-15T20:01:21.000000Z"} https://vulnerability.circl.lu/sighting/a2ea3a98-567c-415e-9c9e-4aaf731fe340/export Mon, 15 Jun 2026 20:01:21 +0000