All 9 CVE vulnerabilities found in authlib, with AI-generated Chinese analysis, references, and POCs.
Vendor: authlib
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-41425 | Authlib: Cross-site request forging when using cache CWE-352 | 5.4 | Medium | 2026-04-24 |
| CVE-2026-28498 | Authlib: Fail-Open Cryptographic Verification in OIDC Hash Binding CWE-354 | 7.5 | - | 2026-03-16 |
| CVE-2026-28490 | Authlib Vulnerable to JWE RSA1_5 Bleichenbacher Padding Oracle CWE-203 | - | - | 2026-03-16 |
| CVE-2026-27962 | Authlib JWS JWK Header Injection: Signature Verification Bypass CWE-347 | 9.1 | Critical | 2026-03-16 |
| CVE-2026-28802 | Authlib: Setting `alg: none` and a blank signature appears to bypass signature verification CWE-347 | 9.1 | - | 2026-03-06 |
| CVE-2025-68158 | Authlib: 1-click Account Takeover CWE-352 | 5.7 | Medium | 2026-01-08 |
| CVE-2025-62706 | Authlib : JWE zip=DEF decompression bomb enables DoS CWE-400 | 6.5 | Medium | 2025-10-22 |
| CVE-2025-61920 | Authlib is vulnerable to Denial of Service via Oversized JOSE Segments CWE-20 | 7.5 | High | 2025-10-10 |
| CVE-2025-59420 | Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible authz bypass) CWE-345 | 7.5 | High | 2025-09-22 |
All 9 known CVE vulnerabilities affecting authlib with full Chinese analysis, references, and POCs where available.