Vulnerabilities

ID
Packages
Summary
Published
arrow_upward
Attributes
PYSEC-2026-1814
  • PyPI/pyjwt
PyJWT Issuer field partial matches allowed 5 days ago
  • Fix available
  • Severity - 2.1 (Low)
GHSA-w7vc-732c-9m39
  • PyPI/pyjwt
PyJWT: Unauthenticated DoS via unbounded Base64URL decoding of unused payload segment in b64=false detached JWS 15 Jun
  • Fix available
  • Severity - 5.3 (Medium)
GHSA-993g-76c3-p5m4
  • PyPI/pyjwt
PyJWKClient: missing scheme allowlist enables CVE-2024-21643-class SSRF + token forgery via file://, ftp://, data: schemes 15 Jun
  • Fix available
  • Severity - 4.2 (Medium)
GHSA-xgmm-8j9v-c9wx
  • PyPI/pyjwt
PyJWT: Public-key JWK accepted as HMAC secret enables forged HS256 tokens when mixed families are allowed 15 Jun
  • Fix available
  • Severity - 7.4 (High)
GHSA-jq35-7prp-9v3f
  • PyPI/pyjwt
PyJWT: Algorithm allow-list bypass when decoding with `PyJWK` / `PyJWKClient` keys 15 Jun
  • Fix available
  • Severity - 5.4 (Medium)
GHSA-fhv5-28vv-h8m8
  • PyPI/pyjwt
PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values (DoS) 15 Jun
  • Fix available
  • Severity - 3.7 (Low)
PYSEC-2026-179
  • PyPI/pyjwt
See record for full details 28 May
  • Fix available
  • Severity - 7.4 (High)
PYSEC-2026-178
  • PyPI/pyjwt
See record for full details 28 May
  • Fix available
  • Severity - 5.3 (Medium)
PYSEC-2026-177
  • PyPI/pyjwt
See record for full details 28 May
  • Fix available
  • Severity - 3.7 (Low)
PYSEC-2026-176
  • PyPI/pyjwt
See record for full details 28 May
  • Fix available
  • Severity - 5.4 (Medium)
PYSEC-2026-175
  • PyPI/pyjwt
See record for full details 28 May
  • Fix available
  • Severity - 4.2 (Medium)
GHSA-752w-5fwx-jx9f
  • PyPI/pyjwt
PyJWT accepts unknown `crit` header extensions 13 Mar
  • Fix available
  • Severity - 7.5 (High)
PYSEC-2026-120
  • PyPI/pyjwt
See record for full details 13 Mar
  • Fix available
  • Severity - 7.5 (High)
PYSEC-2025-183
  • PyPI/pyjwt
See record for full details 31 Jul 2025
  • No fix available
  • Severity - 7.0 (High)
GHSA-75c5-xw7c-p5pm
  • PyPI/pyjwt
PyJWT Issuer field partial matches allowed 02 Dec 2024
  • Fix available
  • Severity - 2.1 (Low)
GHSA-ffqj-6fqr-9h24
  • PyPI/pyjwt
Key confusion through non-blocklisted public key formats 24 May 2022
  • Fix available
  • Severity - 7.4 (High)