| CVE-2026-28498 |
unknown |
— |
— |
|
|
|
2mo ago |
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation… |
| CVE-2026-28490 |
unknown |
— |
— |
|
|
|
2mo ago |
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning… |
| CVE-2026-27962 |
unknown |
— |
— |
|
|
|
2mo ago |
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attac… |
| CVE-2026-28802 |
unknown |
— |
— |
|
|
|
3mo ago |
Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an emp… |
| CVE-2025-68158 |
unknown |
— |
— |
|
|
|
5mo ago |
Authlib is a Python library which builds OAuth and OpenID Connect servers. In versions 1.0.0 through 1.6.5, cache-backed state/request-token storage is not tied to the initiating user session, so CSR… |
| CVE-2025-62706 |
unknown |
— |
— |
|
|
|
8mo ago |
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can exp… |
| CVE-2025-61920 |
unknown |
— |
— |
|
|
|
8mo ago |
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote atta… |
| CVE-2025-59420 |
unknown |
— |
— |
|
|
|
8mo ago |
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters (crit), vi… |
| CVE-2024-37568 |
unknown |
— |
— |
|
|
|
2y ago |
lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (… |