| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-35041 | ReDoS in fast-jwt when using RegExp in allowed* leading to CPU exhaustion during token verification | nearform | fast-jwt | Medium | 4.2 | 2026-04-09 14:55:23 | Deep Dive |
| CVE-2026-35040 | fast-jwt: Stateful RegExp (/g or /y) causes non-deterministic allowed-claim validation (logical DoS) | nearform | fast-jwt | Medium | 5.3 | 2026-04-09 14:52:56 | Deep Dive |
| CVE-2026-35042 | fast-jwt accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation) | nearform | fast-jwt | High | 7.5 | 2026-04-06 17:02:12 | Deep Dive |
| CVE-2026-35039 | fast-jwt Affected by Cache Confusion via cacheKeyBuilder Collisions Can Return Claims From a Different Token (Identity/Authorization Mixup) | nearform | fast-jwt | Critical | 9.1 | 2026-04-06 16:59:43 | Deep Dive |
| CVE-2026-34950 | fast-jwt has an incomplete fix for CVE-2023-48223: JWT Algorithm Confusion via Whitespace-Prefixed RSA Public Key | nearform | fast-jwt | Critical | 9.1 | 2026-04-06 15:54:04 | Deep Dive |
| CVE-2026-29000 | pac4j-jwt JwtAuthenticator Authentication Bypass | pac4j | pac4j-jwt | Critical | 9.1 | 2026-03-04 21:49:29 | Deep Dive |
| CVE-2025-12822 | WP Login and Register using JWT <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) API Key Exposure | cyberlord92 | WP Login and Register using JWT | Medium | 4.3 | 2025-11-19 05:45:15 | Deep Dive |
| CVE-2025-58648 | WordPress Simple JWT Login plugin <= 3.6.4 - Cross Site Scripting (XSS) vulnerability | Nicu Micle | Simple JWT Login | Medium | 6.5 | 2025-09-22 18:23:11 | Deep Dive |
| CVE-2025-54887 | jwe: Missing AES-GCM authentication tag validation in encrypted JWEs | jwt | ruby-jwe | Critical | 9.1 | 2025-08-08 00:06:20 | Deep Dive |
| CVE-2025-53864 | Connect2id Nimbus JOSE + JWT 安全漏洞 | Connect2id | Nimbus JOSE+JWT | Medium | 5.8 | 2025-07-11 00:00:00 | Deep Dive |
| CVE-2025-30204 | jwt-go allows excessive memory allocation during header parsing | golang-jwt | jwt | High | 7.5 | 2025-03-21 21:42:01 | Deep Dive |
| CVE-2025-30144 | Fast-JWT Improperly Validates iss Claims | nearform | fast-jwt | Medium | 6.5 | 2025-03-19 15:41:20 | Deep Dive |
| CVE-2024-51744 | Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt | golang-jwt | jwt | Low | 3.1 | 2024-11-04 21:47:12 | Deep Dive |
| CVE-2023-48223 | fast-jwt JWT Algorithm Confusion | nearform | fast-jwt | Medium | 5.9 | 2023-11-20 17:39:57 | Deep Dive |
| CVE-2015-10004 | Timing side-channel in github.com/robbert229/jwt | github.com/robbert229/jwt | github.com/robbert229/jwt | 高危 | - | 2022-12-27 21:13:12 | Deep Dive |
| CVE-2022-39227 | Python-jwt subject to Authentication Bypass by Spoofing | davedoesdev | python-jwt | Critical | 9.1 | 2022-09-23 06:55:09 | Deep Dive |
| CVE-2021-24998 | Simple JWT Login < 3.3.0 - Insecure Password Creation | Unknown | Simple JWT Login | 高危 | - | 2021-12-27 10:33:26 | Deep Dive |
| CVE-2021-24804 | Simple JWT Login < 3.2.1 - Arbitrary Settings Update to Site Takeover via CSRF | Unknown | Simple JWT Login – Login and Register to WordPress using JWT | 高危 | - | 2021-11-17 10:15:43 | Deep Dive |
| CVE-2021-41106 | File reference keys leads to incorrect hashes on HMAC algorithms | lcobucci | jwt | Medium | 4.4 | 2021-09-28 20:50:11 | Deep Dive |
| CVE-2020-15084 | Authorization bypass in express-jwt | auth0 | express-jwt | High | 7.7 | 2020-06-30 16:10:12 | Deep Dive |