Skip to main content

Jwt Attack

507 CVEs product

Monthly

CVE-2026-3564 CRITICAL Act Now

A cryptographic authentication bypass vulnerability in ConnectWise ScreenConnect allows remote attackers who gain access to server-level cryptographic material to authenticate as any user and obtain elevated privileges. The vulnerability affects all ScreenConnect versions prior to 26.1 and carries a CVSS score of 9.0, indicating critical severity. While not currently listed in CISA's KEV catalog and with no public proof-of-concept available, the vulnerability's authentication bypass nature and potential for complete system compromise make it a high-priority patching target.

Authentication Bypass Jwt Attack Screenconnect
NVD VulDB
CVSS 3.1
9.0
EPSS
0.0%
CVE-2026-4258 npm HIGH PATCH This Week

Private key recovery in Stanford JavaScript Crypto Library (SJCL) ECDH implementation affects all versions prior to 1.0.9, allowing remote unauthenticated attackers to extract a victim's ECDH private key by submitting crafted off-curve public keys and observing the resulting shared-secret outputs. The flaw stems from missing point-on-curve validation in sjcl.ecc.basicKey.publicKey(), combined with dhJavaEc() returning the raw x-coordinate without hashing - providing a direct plaintext oracle. Publicly available exploit code exists (PoC gist by Kr0emer); EPSS is low at 0.02% despite the high confidentiality impact, suggesting limited current opportunistic targeting.

Information Disclosure Oracle Jwt Attack
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-27962 PyPI CRITICAL PATCH Act Now

A critical authentication bypass vulnerability in authlib's JWT signature verification allows attackers to forge arbitrary tokens by injecting their own cryptographic keys through the JWT header. The flaw affects all versions of authlib prior to 1.6.9 when applications use key resolution callbacks that can return None (common in JWKS-based authentication flows). A working proof-of-concept exists demonstrating complete authentication bypass, enabling attackers to impersonate any user or assume administrative privileges without valid credentials.

Docker Python Deserialization Jwt Attack
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2025-52648 MEDIUM This Month

A security vulnerability in HCL AION (CVSS 4.8). Remediation should follow standard vulnerability management procedures.

Information Disclosure Jwt Attack
NVD VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-21002 MEDIUM This Month

Galaxy Store prior to version 4.6.03.8 contains an improper cryptographic signature verification vulnerability that allows a local attacker to install arbitrary applications without proper authorization. An attacker with physical or local access to a device can bypass the signature validation mechanism, enabling installation of malicious or unauthorized apps. While the CVSS score of 5.9 is moderate, the integrity impact is high, making this a meaningful threat to device security and app ecosystem integrity.

Information Disclosure Jwt Attack
NVD
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-20997 MEDIUM This Month

Smart Switch prior to version 3.7.69.15 contains an improper cryptographic signature verification vulnerability that allows remote attackers to bypass authentication mechanisms. The vulnerability has a CVSS score of 5.3 with network-based attack vector and low complexity, requiring only user interaction. While no public exploit or KEV status has been confirmed, the authentication bypass capability presents a moderate risk for unauthorized access to affected devices.

Authentication Bypass Jwt Attack
NVD VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-20989 LOW Monitor

This vulnerability involves improper cryptographic signature verification in the Font Settings component of Samsung devices prior to the March 2026 Security Update Release 1. A physical attacker can bypass signature validation to install custom fonts, potentially leading to integrity compromise of system font resources. While the CVSS score is moderate at 5.1, the attack requires physical access and user interaction, limiting real-world exploitation frequency.

Information Disclosure Jwt Attack
NVD VulDB
CVSS 3.1
2.4
EPSS
0.0%
CVE-2026-3562 HIGH This Week

CVE-2026-3562 is an authentication bypass vulnerability in Philips Hue Bridge's HAP (HomeKit Accessory Protocol) implementation, specifically within the ed25519_sign_open function that fails to properly verify Ed25519 cryptographic signatures. Network-adjacent attackers can exploit this flaw without authentication to execute arbitrary code on affected Hue Bridge installations. The CVSS score of 6.3 reflects moderate severity with local network access requirements, though the authentication bypass nature elevates real-world risk for smart home environments.

Authentication Bypass RCE Jwt Attack
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-28802 PyPI HIGH POC PATCH This Week

Authentication bypass in Authlib (Python OAuth/OpenID Connect library) versions 1.6.5 through 1.6.6 allows remote attackers to forge JWTs by supplying a token with 'alg: none' and an empty signature, which the library accepts as valid during signature verification. Because the integrity check is silently bypassed, an attacker can craft tokens with arbitrary claims and impersonate any identity. Publicly available exploit code exists (regression-test based, via the GitHub Security Advisory), but EPSS is only 0.02% (6th percentile) and the issue is not in CISA KEV - no public exploit identified as actively used at time of analysis.

Python Authlib Information Disclosure Jwt Attack
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-29000 Maven CRITICAL POC PATCH Act Now

JWT authentication bypass in pac4j-jwt before 4.5.9/5.7.9/6.3.3 when processing encrypted JWTs. PoC available.

Authentication Bypass Jwt Attack
NVD VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-3338 Cargo HIGH PATCH This Week

Signature verification bypass in AWS-LC's PKCS7_verify() function lets unauthenticated attackers get forged PKCS#7 objects containing Authenticated Attributes accepted as validly signed, defeating the integrity guarantee the API exists to provide. It affects applications linking AWS-LC, including the Rust aws-lc-sys binding and aws_libcrypto, and is tagged as enabling JWT/authentication-bypass attacks. No public exploit identified at time of analysis and EPSS is very low (0.03%), but integrity impact is High (CVSS 4.0 8.7) and a fixed release (1.69.0) is already available.

Aws Lc Sys Aws Libcrypto Jwt Attack Authentication Bypass
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-23687 HIGH This Week

Sap Basis versions up to 700 is affected by improper verification of cryptographic signature (CVSS 8.8).

SAP Authentication Bypass Jwt Attack
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-1529 Maven HIGH PATCH This Week

Keycloak's invitation token validation fails to cryptographically verify JWT payload modifications, allowing authenticated attackers to alter organization IDs and email addresses to register into unauthorized organizations. This enables unauthorized access to organizations without proper authentication, affecting any Keycloak deployment using the invitation feature. No patch is currently available.

Authentication Bypass Jwt Attack
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-24807 Maven MEDIUM This Month

Improper Verification of Cryptographic Signature vulnerability in liuyueyi quick-media (plugins/svg-plugin/batik-codec-fix/src/main/java/org/apache/batik/ext/awt/image/codec/util modules). This vulnerability is associated with program files SeekableOutputStream.Java.

Apache Java Jwt Attack Information Disclosure
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2025-64787 LOW Monitor

Improper verification of cryptographic signatures in Adobe Acrobat Reader versions up to 24.001.30264, 20.005.30803, and 25.001.20982 allows local attackers to bypass cryptographic protections and gain limited unauthorized write access to PDF documents. The vulnerability requires user interaction with a malicious or crafted PDF containing an improperly signed element. With a CVSS score of 3.3 and local attack vector, this represents a low-severity security feature bypass affecting document integrity verification.

Jwt Attack Authentication Bypass Adobe
NVD
CVSS 3.1
3.3
EPSS
0.0%
CVE-2025-64786 LOW Monitor

Improper verification of cryptographic signatures in Adobe Acrobat Reader and Acrobat DC versions up to 24.001.30273, 25.001.20982, and 20.005.30803 allows local attackers to bypass security features and gain limited unauthorized write access to PDF documents. Exploitation requires user interaction with a malicious or specially crafted cryptographic signature embedded in a PDF file. No active exploitation has been confirmed at the time of analysis.

Jwt Attack Authentication Bypass Adobe
NVD
CVSS 3.1
3.3
EPSS
0.0%
CVE-2025-59719 CRITICAL EUVD KEV Act Now

Authentication bypass in Fortinet FortiWeb 8.0.0, 7.6.0-7.6.4, and 7.4.0-7.4.9 allows unauthenticated remote attackers to circumvent FortiCloud SSO login by sending a crafted SAML response message. The flaw stems from improper cryptographic signature verification (CWE-347), enabling forgery of authentication assertions. No public exploit identified at time of analysis, EPSS sits at 0.26% (50th percentile), and the issue is not currently listed in CISA KEV, though Fortinet products have historically been high-value targets.

Fortinet Authentication Bypass Jwt Attack Fortiweb
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-59718 CRITICAL KEV EUVD KEV THREAT Emergency

Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to defeat FortiCloud SSO login by submitting a crafted SAML response, due to improper verification of the response's cryptographic signature. The flaw is confirmed actively exploited (CISA KEV), with Arctic Wolf observing malicious SSO logins in the wild, and EPSS rates it at the 93rd percentile of likelihood. Combined with a 9.8 CVSS score and CWE-347 root cause, this is a top-priority patching target for any organization running affected Fortinet management planes.

Fortinet Authentication Bypass Jwt Attack
NVD VulDB
CVSS 3.1
9.8
EPSS
9.5%
CVE-2025-40934 CRITICAL PATCH Act Now

XML-Sig versions 0.27 through 0.67 for Perl incorrectly validates XML files if signatures are omitted. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Jwt Attack Information Disclosure
NVD GitHub
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-34324 HIGH POC This Month

GoSign Desktop versions 2.4.0 and earlier use an unsigned update manifest for distributing application updates. Rated high severity (CVSS 7.0), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Jwt Attack RCE Apple Microsoft Gosign +2
NVD
CVSS 4.0
7.0
EPSS
0.0%
CVE-2025-64740 HIGH This Month

Improper verification of cryptographic signature in the installer for Zoom Workplace VDI Client for Windows may allow an authenticated user to conduct an escalation of privilege via local access. Rated high severity (CVSS 7.5). No vendor patch available.

Jwt Attack Microsoft Privilege Escalation Workplace Virtual Desktop Infrastructure Windows
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-64186 Go HIGH POC PATCH This Week

Evervault is a payment security solution. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Jwt Attack Information Disclosure Evervault
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2025-64456 HIGH This Month

In JetBrains ReSharper before 2025.2.4 missing signature verification in DPA Collector allows local privilege escalation. Rated high severity (CVSS 8.4), this vulnerability is low attack complexity. No vendor patch available.

Jwt Attack Privilege Escalation Resharper
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-55278 HIGH This Month

Improper authentication in the API authentication middleware of HCL DevOps Loop allows authentication tokens to be accepted without proper validation of their expiration and cryptographic signature. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jwt Attack Authentication Bypass
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-43468 MEDIUM PATCH This Month

A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Jwt Attack Intel Apple Information Disclosure
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-43390 MEDIUM This Month

A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Jwt Attack Intel Apple Information Disclosure macOS
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-7937 HIGH This Month

There is a vulnerability in the Supermicro BMC firmware validation logic at Supermicro MBD-X12STW . Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Jwt Attack
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-6198 HIGH This Month

There is a vulnerability in the Supermicro BMC firmware validation logic at Supermicro MBD-X13SEM-F . Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Jwt Attack
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-59334 CRITICAL POC PATCH Act Now

Linkr is a lightweight file delivery system that downloads files from a webserver. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Jwt Attack Linkr
NVD GitHub
CVSS 3.1
9.6
EPSS
0.1%
CVE-2025-20248 MEDIUM This Month

A vulnerability in the installation process of Cisco IOS XR Software could allow an authenticated, local attacker to bypass Cisco IOS XR Software image signature verification and load unsigned. Rated medium severity (CVSS 6.0), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Cisco Apple Jwt Attack
NVD
CVSS 3.1
6.0
EPSS
0.0%
CVE-2025-52550 HIGH This Week

E3 Site Supervisor Control (firmware version < 2.31F01) firmware upgrade packages are unsigned. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Jwt Attack E3 Supervisory Controller Firmware
NVD
CVSS 4.0
8.6
EPSS
0.0%
CVE-2025-30064 HIGH This Month

An insufficiently secured internal function allows session generation for arbitrary users. Rated high severity (CVSS 8.8). No vendor patch available.

RCE Jwt Attack
NVD
CVSS 4.0
8.8
EPSS
0.0%
CVE-2025-57801 Go HIGH POC PATCH This Week

gnark is a zero-knowledge proof system framework. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Jwt Attack Gnark
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2025-55229 MEDIUM This Month

Improper verification of cryptographic signature in Windows Certificates allows an unauthorized attacker to perform spoofing over a network. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Microsoft Jwt Attack Windows 10 1507 Windows 10 1607 +12
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-4371 HIGH This Month

A potential vulnerability was reported in the Lenovo 510 FHD and Performance FHD web cameras that could allow an attacker with physical access to write arbitrary firmware updates to the device over a. Rated high severity (CVSS 7.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Lenovo Information Disclosure Jwt Attack
NVD
CVSS 4.0
7.0
EPSS
0.0%
CVE-2025-40758 HIGH This Week

A vulnerability has been identified in Mendix SAML (Mendix 10.12 compatible) (All versions < V4.0.3), Mendix SAML (Mendix 10.21 compatible) (All versions < V4.1.2), Mendix SAML (Mendix 9.24. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Jwt Attack
NVD
CVSS 3.1
8.7
EPSS
0.0%
CVE-2025-54982 CRITICAL This Week

An improper verification of cryptographic signature in Zscaler's SAML authentication mechanism on the server-side allowed an authentication abuse. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Jwt Attack
NVD
CVSS 3.1
9.6
EPSS
0.0%
CVE-2025-8454 CRITICAL PATCH This Week

It was discovered that uscan, a tool to scan/watch upstream sources for new releases of software, included in devscripts (a collection of scripts to make the life of a Debian Package maintainer. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Jwt Attack Debian Devscripts Suse
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2022-31807 MEDIUM This Month

A vulnerability has been identified in Building X - Security Manager Edge Controller (ACC-AP) (All versions). Rated medium severity (CVSS 5.9), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Jwt Attack Information Disclosure Sipass Integrated Ac5102 Acc G2 Firmware Sipass Integrated Acc Ap Firmware
NVD
CVSS 4.0
5.9
EPSS
0.1%
CVE-2025-47949 npm CRITICAL PATCH This Week

samlify is a Node.js library for SAML single sign-on. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Jwt Attack Information Disclosure Node.js Samlify
NVD GitHub
CVSS 4.0
9.9
EPSS
0.2%
CVE-2025-47934 npm HIGH PATCH This Month

OpenPGP.js is a JavaScript implementation of the OpenPGP protocol. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jwt Attack Information Disclosure
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2025-20181 MEDIUM This Month

A vulnerability in Cisco IOS Software for Cisco Catalyst 2960X, 2960XR, 2960CX, and 3560CX Series Switches could allow an authenticated, local attacker with privilege level 15 or an unauthenticated. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Apple Jwt Attack RCE Cisco
NVD
CVSS 3.0
6.8
EPSS
0.1%
CVE-2025-33074 HIGH This Week

Improper verification of cryptographic signature in Microsoft Azure Functions allows an authorized attacker to execute code over a network. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Microsoft Jwt Attack Information Disclosure Azure Functions
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-2866 LOW Monitor

Improper Verification of Cryptographic Signature vulnerability in LibreOffice allows PDF Signature Spoofing by Improper Validation. Rated low severity (CVSS 2.4), this vulnerability is low attack complexity. No vendor patch available.

Jwt Attack Information Disclosure Libreoffice
NVD
CVSS 4.0
2.4
EPSS
0.1%
CVE-2025-2764 HIGH This Week

CarlinKit CPC200-CCPA update.cgi Improper Verification of Cryptographic Signature Code Execution Vulnerability. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

Jwt Attack RCE Autokit
NVD
CVSS 3.0
8.0
EPSS
0.0%
CVE-2025-2763 MEDIUM This Month

CarlinKit CPC200-CCPA Improper Verification of Cryptographic Signature Code Execution Vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Jwt Attack RCE Autokit
NVD
CVSS 3.0
6.8
EPSS
0.0%
CVE-2025-43903 MEDIUM PATCH This Month

NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the adbe.pkcs7.sha1 signatures on documents, resulting in potential signature forgeries. Rated medium severity (CVSS 4.3), this vulnerability is no authentication required, low attack complexity.

Jwt Attack Information Disclosure Poppler Red Hat Suse
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-20178 MEDIUM This Month

A vulnerability in the web-based management interface of Cisco Secure Network Analytics could allow an authenticated, remote attacker with valid administrative credentials to execute arbitrary. Rated medium severity (CVSS 6.0), this vulnerability is low attack complexity. No vendor patch available.

Jwt Attack Information Disclosure Cisco Secure Network Analytics
NVD
CVSS 3.1
6.0
EPSS
0.1%
CVE-2025-29915 HIGH PATCH This Week

Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Jwt Attack Information Disclosure Suricata Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-27813 HIGH This Month

MSI Center before 2.0.52.0 has Missing PE Signature Validation. Rated high severity (CVSS 8.1), this vulnerability is no authentication required. No vendor patch available.

Jwt Attack Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-31489 Go HIGH POC PATCH This Week

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jwt Attack Information Disclosure Red Hat Suse
NVD GitHub
CVSS 4.0
8.7
EPSS
4.9%
CVE-2025-31335 MEDIUM PATCH This Month

The OpenSAML C++ library before 3.3.1 allows forging of signed SAML messages via parameter manipulation (when using SAML bindings that rely on non-XML signatures). Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Jwt Attack Information Disclosure Red Hat Suse
NVD
CVSS 3.1
4.0
EPSS
0.1%
CVE-2025-29775 npm CRITICAL PATCH Act Now

xml-crypto is an XML digital signature and encryption library for Node.js. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jwt Attack Authentication Bypass Node.js Red Hat
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2025-29774 npm CRITICAL PATCH Act Now

xml-crypto is an XML digital signature and encryption library for Node.js. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jwt Attack Authentication Bypass Node.js Red Hat
NVD GitHub
CVSS 4.0
9.3
EPSS
0.2%
CVE-2020-36843 Maven MEDIUM PATCH This Month

The implementation of EdDSA in EdDSA-Java (aka ed25519-java) through 0.3.0 exhibits signature malleability and does not satisfy the SUF-CMA (Strong Existential Unforgeability under Chosen Message. Rated medium severity (CVSS 4.3), this vulnerability is no authentication required, low attack complexity.

Jwt Attack Information Disclosure Java Suse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-25292 Ruby CRITICAL POC PATCH CERT-EU Act Now

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Jwt Attack Authentication Bypass Omniauth Saml Ruby Saml Storagegrid
NVD GitHub
CVSS 4.0
9.3
EPSS
4.1%
CVE-2025-25291 Ruby CRITICAL POC PATCH THREAT CERT-EU Act Now

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 13.8%.

Jwt Attack Authentication Bypass Omniauth Saml Ruby Saml Storagegrid
NVD GitHub
CVSS 4.0
9.3
EPSS
13.8%
CVE-2025-20143 MEDIUM This Month

A vulnerability in the boot process of Cisco IOS XR Software could allow an authenticated, local attacker with high privileges to bypass the Secure Boot functionality and load unverified software on. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Apple Jwt Attack Authentication Bypass Cisco Ios Xr
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-20206 HIGH This Week

A vulnerability in the interprocess communication (IPC) channel of Cisco Secure Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack on an affected device. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Microsoft Jwt Attack RCE Cisco Secure Client +1
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-27670 CRITICAL Act Now

Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Insufficient Signature Validation OVE-20230524-0014. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jwt Attack Information Disclosure Vasion Print Virtual Appliance
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2024-11957 CRITICAL Act Now

Improper verification of the digital signature in ksojscore.dll in Kingsoft WPS Office in versions equal or less than 12.1.0.18276 on Windows allows an attacker to load an arbitrary Windows library. Rated critical severity (CVSS 9.3), this vulnerability is low attack complexity. No vendor patch available.

Microsoft Jwt Attack Information Disclosure Windows
NVD
CVSS 4.0
9.3
EPSS
0.0%
CVE-2025-27498 Cargo MEDIUM PATCH This Month

aes-gcm is a pure Rust implementation of the AES-GCM. Rated medium severity (CVSS 5.6), this vulnerability is no authentication required. No vendor patch available.

Jwt Attack Information Disclosure
NVD GitHub
CVSS 4.0
5.6
EPSS
0.0%
CVE-2023-25574 PyPI CRITICAL PATCH GHSA Act Now

`jupyterhub-ltiauthenticator` is a JupyterHub authenticator for learning tools interoperability (LTI). Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Jwt Attack Information Disclosure Lti Jupyterhub Authenticator
NVD GitHub
CVSS 3.1
10.0
EPSS
0.2%
CVE-2024-56161 HIGH This Month

Improper signature verification in AMD CPU ROM microcode patch loader may allow an attacker with local administrator privilege to load malicious CPU microcode resulting in loss of confidentiality and. Rated high severity (CVSS 7.2). No vendor patch available.

Amd Information Disclosure Jwt Attack Red Hat Suse
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-24800 Cargo CRITICAL PATCH This Week

Hyperbridge is a hyper-scalable coprocessor for verifiable, cross-chain interoperability. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Jwt Attack
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2025-23369 HIGH This Month

An improper verification of cryptographic signature vulnerability was identified in GitHub Enterprise Server that allowed signature spoofing for unauthorized internal users. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable. Epss exploitation probability 11.8% and no vendor patch available.

Authentication Bypass Jwt Attack Enterprise Server
NVD GitHub
CVSS 4.0
7.6
EPSS
11.8%
CVE-2025-23206 npm LOW PATCH Monitor

The AWS Cloud Development Kit (AWS CDK) is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation. Rated low severity (CVSS 1.8), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Jwt Attack Aws Cloud Development Kit
NVD GitHub
CVSS 4.0
1.8
EPSS
0.1%
CVE-2024-13172 HIGH This Month

Improper signature verification in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Ivanti Jwt Attack Endpoint Manager
NVD
CVSS 3.1
7.8
EPSS
0.5%
CVE-2024-7344 HIGH POC PATCH This Week

Howyar UEFI Application "Reloader" (32-bit and 64-bit) is vulnerable to execution of unsigned software in a hardcoded path. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. Public exploit code available.

Information Disclosure Jwt Attack Neo Impact Greenguard Sysreturn +5
NVD
CVSS 3.1
8.2
EPSS
0.4%
CVE-2024-54150 HIGH This Week

cjwt is a C JSON Web Token (JWT) Implementation. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Jwt Attack
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2024-43106 CRITICAL POC Act Now

A library injection vulnerability exists in Microsoft Excel 16.83 for macOS. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Apple Jwt Attack Microsoft Excel
NVD
CVSS 3.1
9.1
EPSS
0.7%
CVE-2024-42220 CRITICAL POC Act Now

A library injection vulnerability exists in Microsoft Outlook 16.83.3 for macOS. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Apple Jwt Attack Microsoft Outlook
NVD
CVSS 3.1
9.1
EPSS
0.7%
CVE-2024-42004 CRITICAL POC Act Now

A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Apple Jwt Attack Microsoft Teams
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-41165 CRITICAL POC Act Now

A library injection vulnerability exists in Microsoft Word 16.83 for macOS. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Apple Jwt Attack Microsoft Word
NVD
CVSS 3.1
9.1
EPSS
0.7%
CVE-2024-41159 HIGH POC This Week

A library injection vulnerability exists in Microsoft OneNote 16.83 for macOS. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Apple Jwt Attack Microsoft Onenote
NVD
CVSS 3.1
7.1
EPSS
0.8%
CVE-2024-41145 CRITICAL POC Act Now

A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Apple Jwt Attack Microsoft Teams
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-41138 CRITICAL POC Act Now

A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Apple Jwt Attack Microsoft Teams
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-39804 CRITICAL POC Act Now

A library injection vulnerability exists in Microsoft PowerPoint 16.83 for macOS. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Apple Jwt Attack Microsoft Powerpoint
NVD
CVSS 3.1
9.1
EPSS
0.9%
CVE-2024-22461 HIGH This Week

Dell RecoverPoint for Virtual Machines 6.0.x contains an OS Command injection vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jwt Attack Command Injection Dell Recoverpoint For Virtual Machines
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2024-54126 HIGH This Week

This vulnerability exists in the TP-Link Archer C50 due to improper signature verification mechanism in the firmware upgrade process at its web interface. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. No vendor patch available.

TP-Link Jwt Attack Information Disclosure
NVD
CVSS 4.0
8.5
EPSS
0.1%
CVE-2024-47476 HIGH This Week

Dell NetWorker Management Console, version(s) 19.11, contain(s) an Improper Verification of Cryptographic Signature vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Jwt Attack Dell Networker Management Console
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2024-49413 HIGH This Week

Improper Verification of Cryptographic Signature in SmartSwitch prior to SMR Dec-2024 Release 1 allows local attackers to install malicious applications. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Jwt Attack Information Disclosure Android
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2024-52958 CRITICAL Act Now

A improper verification of cryptographic signature vulnerability in plugin management in iota C.ai Conversational Platform from 1.0.0 through 2.1.3 allows remote authenticated users to load a. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jwt Attack Information Disclosure Iota C Ai
NVD
CVSS 4.0
9.3
EPSS
0.3%
CVE-2024-53267 Maven MEDIUM PATCH This Month

sigstore-java is a sigstore java client for interacting with sigstore infrastructure. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Jwt Attack Java Information Disclosure
NVD GitHub
CVSS 3.1
5.5
EPSS
0.1%
CVE-2024-40592 MEDIUM This Month

An improper verification of cryptographic signature vulnerability [CWE-347] in FortiClient MacOS version 7.4.0, version 7.2.4 and below, version 7.0.10 and below, version 6.4.10 and below may allow a. Rated medium severity (CVSS 6.7). No vendor patch available.

Apple Jwt Attack Information Disclosure Fortinet Forticlient
NVD
CVSS 3.1
6.7
EPSS
0.1%
CVE-2024-49394 MEDIUM This Month

In mutt and neomutt the In-Reply-To email header field is not protected by cryptographic signing which allows an attacker to reuse an unencrypted but signed email message to impersonate the original. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Jwt Attack Mutt Neomutt Enterprise Linux
NVD GitHub
CVSS 3.1
5.3
EPSS
0.3%
CVE-2024-49393 MEDIUM This Month

In neomutt and mutt, the To and Cc email headers are not validated by cryptographic signing which allows an attacker that intercepts a message to change their value and include himself as a one of. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Jwt Attack Mutt Neomutt Enterprise Linux
NVD GitHub
CVSS 3.1
6.5
EPSS
0.3%
CVE-2024-47073 CRITICAL POC Act Now

DataEase is an open source data visualization analysis tool that helps users quickly analyze data and gain insights into business trends. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Jwt Attack Information Disclosure Dataease
NVD GitHub
CVSS 4.0
9.3
EPSS
1.2%
CVE-2024-51526 MEDIUM This Month

Permission control vulnerability in the hidebug module Impact: Successful exploitation of this vulnerability may affect service confidentiality. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Jwt Attack Information Disclosure Harmonyos
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2024-50347 PHP MEDIUM PATCH This Month

Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Jwt Attack Information Disclosure
NVD GitHub
CVSS 4.0
6.3
EPSS
0.3%
EPSS 0% CVSS 9.0
CRITICAL Act Now

A cryptographic authentication bypass vulnerability in ConnectWise ScreenConnect allows remote attackers who gain access to server-level cryptographic material to authenticate as any user and obtain elevated privileges. The vulnerability affects all ScreenConnect versions prior to 26.1 and carries a CVSS score of 9.0, indicating critical severity. While not currently listed in CISA's KEV catalog and with no public proof-of-concept available, the vulnerability's authentication bypass nature and potential for complete system compromise make it a high-priority patching target.

Authentication Bypass Jwt Attack Screenconnect
NVD VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Private key recovery in Stanford JavaScript Crypto Library (SJCL) ECDH implementation affects all versions prior to 1.0.9, allowing remote unauthenticated attackers to extract a victim's ECDH private key by submitting crafted off-curve public keys and observing the resulting shared-secret outputs. The flaw stems from missing point-on-curve validation in sjcl.ecc.basicKey.publicKey(), combined with dhJavaEc() returning the raw x-coordinate without hashing - providing a direct plaintext oracle. Publicly available exploit code exists (PoC gist by Kr0emer); EPSS is low at 0.02% despite the high confidentiality impact, suggesting limited current opportunistic targeting.

Information Disclosure Oracle Jwt Attack
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

A critical authentication bypass vulnerability in authlib's JWT signature verification allows attackers to forge arbitrary tokens by injecting their own cryptographic keys through the JWT header. The flaw affects all versions of authlib prior to 1.6.9 when applications use key resolution callbacks that can return None (common in JWKS-based authentication flows). A working proof-of-concept exists demonstrating complete authentication bypass, enabling attackers to impersonate any user or assume administrative privileges without valid credentials.

Docker Python Deserialization +1
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM This Month

A security vulnerability in HCL AION (CVSS 4.8). Remediation should follow standard vulnerability management procedures.

Information Disclosure Jwt Attack
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM This Month

Galaxy Store prior to version 4.6.03.8 contains an improper cryptographic signature verification vulnerability that allows a local attacker to install arbitrary applications without proper authorization. An attacker with physical or local access to a device can bypass the signature validation mechanism, enabling installation of malicious or unauthorized apps. While the CVSS score of 5.9 is moderate, the integrity impact is high, making this a meaningful threat to device security and app ecosystem integrity.

Information Disclosure Jwt Attack
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Smart Switch prior to version 3.7.69.15 contains an improper cryptographic signature verification vulnerability that allows remote attackers to bypass authentication mechanisms. The vulnerability has a CVSS score of 5.3 with network-based attack vector and low complexity, requiring only user interaction. While no public exploit or KEV status has been confirmed, the authentication bypass capability presents a moderate risk for unauthorized access to affected devices.

Authentication Bypass Jwt Attack
NVD VulDB
EPSS 0% CVSS 2.4
LOW Monitor

This vulnerability involves improper cryptographic signature verification in the Font Settings component of Samsung devices prior to the March 2026 Security Update Release 1. A physical attacker can bypass signature validation to install custom fonts, potentially leading to integrity compromise of system font resources. While the CVSS score is moderate at 5.1, the attack requires physical access and user interaction, limiting real-world exploitation frequency.

Information Disclosure Jwt Attack
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

CVE-2026-3562 is an authentication bypass vulnerability in Philips Hue Bridge's HAP (HomeKit Accessory Protocol) implementation, specifically within the ed25519_sign_open function that fails to properly verify Ed25519 cryptographic signatures. Network-adjacent attackers can exploit this flaw without authentication to execute arbitrary code on affected Hue Bridge installations. The CVSS score of 6.3 reflects moderate severity with local network access requirements, though the authentication bypass nature elevates real-world risk for smart home environments.

Authentication Bypass RCE Jwt Attack
NVD
EPSS 0% CVSS 7.7
HIGH POC PATCH This Week

Authentication bypass in Authlib (Python OAuth/OpenID Connect library) versions 1.6.5 through 1.6.6 allows remote attackers to forge JWTs by supplying a token with 'alg: none' and an empty signature, which the library accepts as valid during signature verification. Because the integrity check is silently bypassed, an attacker can craft tokens with arbitrary claims and impersonate any identity. Publicly available exploit code exists (regression-test based, via the GitHub Security Advisory), but EPSS is only 0.02% (6th percentile) and the issue is not in CISA KEV - no public exploit identified as actively used at time of analysis.

Python Authlib Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Act Now

JWT authentication bypass in pac4j-jwt before 4.5.9/5.7.9/6.3.3 when processing encrypted JWTs. PoC available.

Authentication Bypass Jwt Attack
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Signature verification bypass in AWS-LC's PKCS7_verify() function lets unauthenticated attackers get forged PKCS#7 objects containing Authenticated Attributes accepted as validly signed, defeating the integrity guarantee the API exists to provide. It affects applications linking AWS-LC, including the Rust aws-lc-sys binding and aws_libcrypto, and is tagged as enabling JWT/authentication-bypass attacks. No public exploit identified at time of analysis and EPSS is very low (0.03%), but integrity impact is High (CVSS 4.0 8.7) and a fixed release (1.69.0) is already available.

Aws Lc Sys Aws Libcrypto Jwt Attack +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Sap Basis versions up to 700 is affected by improper verification of cryptographic signature (CVSS 8.8).

SAP Authentication Bypass Jwt Attack
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Keycloak's invitation token validation fails to cryptographically verify JWT payload modifications, allowing authenticated attackers to alter organization IDs and email addresses to register into unauthorized organizations. This enables unauthorized access to organizations without proper authentication, affecting any Keycloak deployment using the invitation feature. No patch is currently available.

Authentication Bypass Jwt Attack
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Improper Verification of Cryptographic Signature vulnerability in liuyueyi quick-media (plugins/svg-plugin/batik-codec-fix/src/main/java/org/apache/batik/ext/awt/image/codec/util modules). This vulnerability is associated with program files SeekableOutputStream.Java.

Apache Java Jwt Attack +1
NVD GitHub VulDB
EPSS 0% CVSS 3.3
LOW Monitor

Improper verification of cryptographic signatures in Adobe Acrobat Reader versions up to 24.001.30264, 20.005.30803, and 25.001.20982 allows local attackers to bypass cryptographic protections and gain limited unauthorized write access to PDF documents. The vulnerability requires user interaction with a malicious or crafted PDF containing an improperly signed element. With a CVSS score of 3.3 and local attack vector, this represents a low-severity security feature bypass affecting document integrity verification.

Jwt Attack Authentication Bypass Adobe
NVD
EPSS 0% CVSS 3.3
LOW Monitor

Improper verification of cryptographic signatures in Adobe Acrobat Reader and Acrobat DC versions up to 24.001.30273, 25.001.20982, and 20.005.30803 allows local attackers to bypass security features and gain limited unauthorized write access to PDF documents. Exploitation requires user interaction with a malicious or specially crafted cryptographic signature embedded in a PDF file. No active exploitation has been confirmed at the time of analysis.

Jwt Attack Authentication Bypass Adobe
NVD
EPSS 0% CVSS 9.8
CRITICAL EUVD KEV Act Now

Authentication bypass in Fortinet FortiWeb 8.0.0, 7.6.0-7.6.4, and 7.4.0-7.4.9 allows unauthenticated remote attackers to circumvent FortiCloud SSO login by sending a crafted SAML response message. The flaw stems from improper cryptographic signature verification (CWE-347), enabling forgery of authentication assertions. No public exploit identified at time of analysis, EPSS sits at 0.26% (50th percentile), and the issue is not currently listed in CISA KEV, though Fortinet products have historically been high-value targets.

Fortinet Authentication Bypass Jwt Attack +1
NVD VulDB
EPSS 9% CVSS 9.8
CRITICAL KEV EUVD KEV THREAT Emergency

Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to defeat FortiCloud SSO login by submitting a crafted SAML response, due to improper verification of the response's cryptographic signature. The flaw is confirmed actively exploited (CISA KEV), with Arctic Wolf observing malicious SSO logins in the wild, and EPSS rates it at the 93rd percentile of likelihood. Combined with a 9.8 CVSS score and CWE-347 root cause, this is a top-priority patching target for any organization running affected Fortinet management planes.

Fortinet Authentication Bypass Jwt Attack
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

XML-Sig versions 0.27 through 0.67 for Perl incorrectly validates XML files if signatures are omitted. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Jwt Attack Information Disclosure
NVD GitHub
EPSS 0% CVSS 7.0
HIGH POC This Month

GoSign Desktop versions 2.4.0 and earlier use an unsigned update manifest for distributing application updates. Rated high severity (CVSS 7.0), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Jwt Attack RCE Apple +4
NVD
EPSS 0% CVSS 7.5
HIGH This Month

Improper verification of cryptographic signature in the installer for Zoom Workplace VDI Client for Windows may allow an authenticated user to conduct an escalation of privilege via local access. Rated high severity (CVSS 7.5). No vendor patch available.

Jwt Attack Microsoft Privilege Escalation +2
NVD
EPSS 0% CVSS 8.7
HIGH POC PATCH This Week

Evervault is a payment security solution. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Jwt Attack Information Disclosure Evervault
NVD GitHub
EPSS 0% CVSS 8.4
HIGH This Month

In JetBrains ReSharper before 2025.2.4 missing signature verification in DPA Collector allows local privilege escalation. Rated high severity (CVSS 8.4), this vulnerability is low attack complexity. No vendor patch available.

Jwt Attack Privilege Escalation Resharper
NVD
EPSS 0% CVSS 8.1
HIGH This Month

Improper authentication in the API authentication middleware of HCL DevOps Loop allows authentication tokens to be accepted without proper validation of their expiration and cryptographic signature. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jwt Attack Authentication Bypass
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Jwt Attack Intel Apple +1
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Jwt Attack Intel Apple +2
NVD
EPSS 0% CVSS 7.2
HIGH This Month

There is a vulnerability in the Supermicro BMC firmware validation logic at Supermicro MBD-X12STW . Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Jwt Attack
NVD
EPSS 0% CVSS 7.2
HIGH This Month

There is a vulnerability in the Supermicro BMC firmware validation logic at Supermicro MBD-X13SEM-F . Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Jwt Attack
NVD
EPSS 0% CVSS 9.6
CRITICAL POC PATCH Act Now

Linkr is a lightweight file delivery system that downloads files from a webserver. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Jwt Attack Linkr
NVD GitHub
EPSS 0% CVSS 6.0
MEDIUM This Month

A vulnerability in the installation process of Cisco IOS XR Software could allow an authenticated, local attacker to bypass Cisco IOS XR Software image signature verification and load unsigned. Rated medium severity (CVSS 6.0), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Cisco Apple +1
NVD
EPSS 0% CVSS 8.6
HIGH This Week

E3 Site Supervisor Control (firmware version < 2.31F01) firmware upgrade packages are unsigned. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Jwt Attack E3 Supervisory Controller Firmware
NVD
EPSS 0% CVSS 8.8
HIGH This Month

An insufficiently secured internal function allows session generation for arbitrary users. Rated high severity (CVSS 8.8). No vendor patch available.

RCE Jwt Attack
NVD
EPSS 0% CVSS 8.6
HIGH POC PATCH This Week

gnark is a zero-knowledge proof system framework. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Jwt Attack Gnark
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Improper verification of cryptographic signature in Windows Certificates allows an unauthorized attacker to perform spoofing over a network. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Microsoft Jwt Attack +14
NVD
EPSS 0% CVSS 7.0
HIGH This Month

A potential vulnerability was reported in the Lenovo 510 FHD and Performance FHD web cameras that could allow an attacker with physical access to write arbitrary firmware updates to the device over a. Rated high severity (CVSS 7.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Lenovo Information Disclosure Jwt Attack
NVD
EPSS 0% CVSS 8.7
HIGH This Week

A vulnerability has been identified in Mendix SAML (Mendix 10.12 compatible) (All versions < V4.0.3), Mendix SAML (Mendix 10.21 compatible) (All versions < V4.1.2), Mendix SAML (Mendix 9.24. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Jwt Attack
NVD
EPSS 0% CVSS 9.6
CRITICAL This Week

An improper verification of cryptographic signature in Zscaler's SAML authentication mechanism on the server-side allowed an authentication abuse. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Jwt Attack
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH This Week

It was discovered that uscan, a tool to scan/watch upstream sources for new releases of software, included in devscripts (a collection of scripts to make the life of a Debian Package maintainer. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Jwt Attack Debian +2
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

A vulnerability has been identified in Building X - Security Manager Edge Controller (ACC-AP) (All versions). Rated medium severity (CVSS 5.9), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Jwt Attack Information Disclosure Sipass Integrated Ac5102 Acc G2 Firmware +1
NVD
EPSS 0% CVSS 9.9
CRITICAL PATCH This Week

samlify is a Node.js library for SAML single sign-on. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Jwt Attack Information Disclosure Node.js +1
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Month

OpenPGP.js is a JavaScript implementation of the OpenPGP protocol. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jwt Attack Information Disclosure
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM This Month

A vulnerability in Cisco IOS Software for Cisco Catalyst 2960X, 2960XR, 2960CX, and 3560CX Series Switches could allow an authenticated, local attacker with privilege level 15 or an unauthenticated. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Apple Jwt Attack RCE +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper verification of cryptographic signature in Microsoft Azure Functions allows an authorized attacker to execute code over a network. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Microsoft Jwt Attack Information Disclosure +1
NVD
EPSS 0% CVSS 2.4
LOW Monitor

Improper Verification of Cryptographic Signature vulnerability in LibreOffice allows PDF Signature Spoofing by Improper Validation. Rated low severity (CVSS 2.4), this vulnerability is low attack complexity. No vendor patch available.

Jwt Attack Information Disclosure Libreoffice
NVD
EPSS 0% CVSS 8.0
HIGH This Week

CarlinKit CPC200-CCPA update.cgi Improper Verification of Cryptographic Signature Code Execution Vulnerability. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

Jwt Attack RCE Autokit
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

CarlinKit CPC200-CCPA Improper Verification of Cryptographic Signature Code Execution Vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Jwt Attack RCE Autokit
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the adbe.pkcs7.sha1 signatures on documents, resulting in potential signature forgeries. Rated medium severity (CVSS 4.3), this vulnerability is no authentication required, low attack complexity.

Jwt Attack Information Disclosure Poppler +2
NVD
EPSS 0% CVSS 6.0
MEDIUM This Month

A vulnerability in the web-based management interface of Cisco Secure Network Analytics could allow an authenticated, remote attacker with valid administrative credentials to execute arbitrary. Rated medium severity (CVSS 6.0), this vulnerability is low attack complexity. No vendor patch available.

Jwt Attack Information Disclosure Cisco +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Jwt Attack Information Disclosure Suricata +1
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Month

MSI Center before 2.0.52.0 has Missing PE Signature Validation. Rated high severity (CVSS 8.1), this vulnerability is no authentication required. No vendor patch available.

Jwt Attack Information Disclosure
NVD
EPSS 5% CVSS 8.7
HIGH POC PATCH This Week

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jwt Attack Information Disclosure Red Hat +1
NVD GitHub
EPSS 0% CVSS 4.0
MEDIUM PATCH This Month

The OpenSAML C++ library before 3.3.1 allows forging of signed SAML messages via parameter manipulation (when using SAML bindings that rely on non-XML signatures). Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Jwt Attack Information Disclosure Red Hat +1
NVD
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

xml-crypto is an XML digital signature and encryption library for Node.js. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jwt Attack Authentication Bypass Node.js +1
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

xml-crypto is an XML digital signature and encryption library for Node.js. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jwt Attack Authentication Bypass Node.js +1
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The implementation of EdDSA in EdDSA-Java (aka ed25519-java) through 0.3.0 exhibits signature malleability and does not satisfy the SUF-CMA (Strong Existential Unforgeability under Chosen Message. Rated medium severity (CVSS 4.3), this vulnerability is no authentication required, low attack complexity.

Jwt Attack Information Disclosure Java +1
NVD GitHub
EPSS 4% CVSS 9.3
CRITICAL POC PATCH Act Now

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Jwt Attack Authentication Bypass Omniauth Saml +2
NVD GitHub
EPSS 14% CVSS 9.3
CRITICAL POC PATCH THREAT Act Now

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 13.8%.

Jwt Attack Authentication Bypass Omniauth Saml +2
NVD GitHub
EPSS 0% CVSS 6.7
MEDIUM This Month

A vulnerability in the boot process of Cisco IOS XR Software could allow an authenticated, local attacker with high privileges to bypass the Secure Boot functionality and load unverified software on. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Apple Jwt Attack Authentication Bypass +2
NVD
EPSS 0% CVSS 7.1
HIGH This Week

A vulnerability in the interprocess communication (IPC) channel of Cisco Secure Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack on an affected device. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Microsoft Jwt Attack RCE +3
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Insufficient Signature Validation OVE-20230524-0014. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jwt Attack Information Disclosure Vasion Print +1
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Improper verification of the digital signature in ksojscore.dll in Kingsoft WPS Office in versions equal or less than 12.1.0.18276 on Windows allows an attacker to load an arbitrary Windows library. Rated critical severity (CVSS 9.3), this vulnerability is low attack complexity. No vendor patch available.

Microsoft Jwt Attack Information Disclosure +1
NVD
EPSS 0% CVSS 5.6
MEDIUM PATCH This Month

aes-gcm is a pure Rust implementation of the AES-GCM. Rated medium severity (CVSS 5.6), this vulnerability is no authentication required. No vendor patch available.

Jwt Attack Information Disclosure
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

`jupyterhub-ltiauthenticator` is a JupyterHub authenticator for learning tools interoperability (LTI). Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Jwt Attack Information Disclosure Lti Jupyterhub Authenticator
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Month

Improper signature verification in AMD CPU ROM microcode patch loader may allow an attacker with local administrator privilege to load malicious CPU microcode resulting in loss of confidentiality and. Rated high severity (CVSS 7.2). No vendor patch available.

Amd Information Disclosure Jwt Attack +2
NVD
EPSS 0% CVSS 9.3
CRITICAL PATCH This Week

Hyperbridge is a hyper-scalable coprocessor for verifiable, cross-chain interoperability. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Jwt Attack
NVD GitHub
EPSS 12% CVSS 7.6
HIGH This Month

An improper verification of cryptographic signature vulnerability was identified in GitHub Enterprise Server that allowed signature spoofing for unauthorized internal users. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable. Epss exploitation probability 11.8% and no vendor patch available.

Authentication Bypass Jwt Attack Enterprise Server
NVD GitHub
EPSS 0% CVSS 1.8
LOW PATCH Monitor

The AWS Cloud Development Kit (AWS CDK) is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation. Rated low severity (CVSS 1.8), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Jwt Attack Aws Cloud Development Kit
NVD GitHub
EPSS 1% CVSS 7.8
HIGH This Month

Improper signature verification in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Ivanti Jwt Attack +1
NVD
EPSS 0% CVSS 8.2
HIGH POC PATCH This Week

Howyar UEFI Application "Reloader" (32-bit and 64-bit) is vulnerable to execution of unsigned software in a hardcoded path. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. Public exploit code available.

Information Disclosure Jwt Attack Neo Impact +7
NVD
EPSS 0% CVSS 8.7
HIGH This Week

cjwt is a C JSON Web Token (JWT) Implementation. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Jwt Attack
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL POC Act Now

A library injection vulnerability exists in Microsoft Excel 16.83 for macOS. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Apple Jwt Attack +2
NVD
EPSS 1% CVSS 9.1
CRITICAL POC Act Now

A library injection vulnerability exists in Microsoft Outlook 16.83.3 for macOS. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Apple Jwt Attack +2
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Apple Jwt Attack +2
NVD
EPSS 1% CVSS 9.1
CRITICAL POC Act Now

A library injection vulnerability exists in Microsoft Word 16.83 for macOS. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Apple Jwt Attack +2
NVD
EPSS 1% CVSS 7.1
HIGH POC This Week

A library injection vulnerability exists in Microsoft OneNote 16.83 for macOS. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Apple Jwt Attack +2
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Apple Jwt Attack +2
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Apple Jwt Attack +2
NVD
EPSS 1% CVSS 9.1
CRITICAL POC Act Now

A library injection vulnerability exists in Microsoft PowerPoint 16.83 for macOS. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Apple Jwt Attack +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Dell RecoverPoint for Virtual Machines 6.0.x contains an OS Command injection vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jwt Attack Command Injection Dell +1
NVD
EPSS 0% CVSS 8.5
HIGH This Week

This vulnerability exists in the TP-Link Archer C50 due to improper signature verification mechanism in the firmware upgrade process at its web interface. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. No vendor patch available.

TP-Link Jwt Attack Information Disclosure
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Dell NetWorker Management Console, version(s) 19.11, contain(s) an Improper Verification of Cryptographic Signature vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Jwt Attack Dell +1
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Improper Verification of Cryptographic Signature in SmartSwitch prior to SMR Dec-2024 Release 1 allows local attackers to install malicious applications. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Jwt Attack Information Disclosure Android
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

A improper verification of cryptographic signature vulnerability in plugin management in iota C.ai Conversational Platform from 1.0.0 through 2.1.3 allows remote authenticated users to load a. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jwt Attack Information Disclosure Iota C Ai
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

sigstore-java is a sigstore java client for interacting with sigstore infrastructure. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Jwt Attack Java Information Disclosure
NVD GitHub
EPSS 0% CVSS 6.7
MEDIUM This Month

An improper verification of cryptographic signature vulnerability [CWE-347] in FortiClient MacOS version 7.4.0, version 7.2.4 and below, version 7.0.10 and below, version 6.4.10 and below may allow a. Rated medium severity (CVSS 6.7). No vendor patch available.

Apple Jwt Attack Information Disclosure +2
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

In mutt and neomutt the In-Reply-To email header field is not protected by cryptographic signing which allows an attacker to reuse an unencrypted but signed email message to impersonate the original. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Jwt Attack Mutt +2
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

In neomutt and mutt, the To and Cc email headers are not validated by cryptographic signing which allows an attacker that intercepts a message to change their value and include himself as a one of. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Jwt Attack Mutt +2
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL POC Act Now

DataEase is an open source data visualization analysis tool that helps users quickly analyze data and gain insights into business trends. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Jwt Attack Information Disclosure Dataease
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

Permission control vulnerability in the hidebug module Impact: Successful exploitation of this vulnerability may affect service confidentiality. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Jwt Attack Information Disclosure Harmonyos
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Jwt Attack Information Disclosure
NVD GitHub
Prev Page 2 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy