Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/pyjwt@2.6.0

Type pypi

Namespace

Name pyjwt

Version 2.6.0

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 2.13.0

Latest_non_vulnerable_version 2.13.0

Affected_by_vulnerabilities

url VCID-2n5t-qfqc-mfbv

vulnerability_id VCID-2n5t-qfqc-mfbv

summary PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secret key for HMAC algorithm. This vulnerability is fixed in 2.13.0.

references

reference_url

https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

url

https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138191
reference_id	1138191
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138191

fixed_packages

url	pkg:pypi/pyjwt@2.13.0
purl	pkg:pypi/pyjwt@2.13.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/pyjwt@2.13.0

aliases CVE-2026-48526, GHSA-xgmm-8j9v-c9wx, PYSEC-2026-179

risk_score 3.4

exploitability 0.5

weighted_severity 6.7

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2n5t-qfqc-mfbv

url VCID-35nm-u4sh-nugf

vulnerability_id VCID-35nm-u4sh-nugf

summary PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited outbound requests. The vulnerability surfaces only when a JWKS fetch fails; an attacker can attempt to provoke that with sustained unknown-kid traffic, but the outcome depends on upstream JWKS-endpoint behavior (rate limiting, transient errors) which is beyond the attacker's control. This vulnerability is fixed in 2.13.0.

references

reference_url

https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138191
reference_id	1138191
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138191

fixed_packages

url	pkg:pypi/pyjwt@2.13.0
purl	pkg:pypi/pyjwt@2.13.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/pyjwt@2.13.0

aliases CVE-2026-48524, GHSA-fhv5-28vv-h8m8, PYSEC-2026-177

risk_score 1.6

exploitability 0.5

weighted_severity 3.3

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-35nm-u4sh-nugf

url VCID-cdtk-hczs-jud3

vulnerability_id VCID-cdtk-hczs-jud3

summary PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen() which uses Python stdlib's default OpenerDirector registering HTTPHandler, HTTPSHandler, FTPHandler, FileHandler, and DataHandler. There is currently no documented option to restrict which schemes PyJWKClient will fetch. If an application's jku URL ingestion path accepts attacker-influenced URLs (e.g., from JWT header, configuration file, OAuth flow parameter), the attacker can cause PyJWKClient to read arbitrary local files via file:// (SSRF on local filesystem), cause PyJWKClient to attempt FTP / data-URI fetches (broader SSRF surface), or forge tokens that PyJWT verifies as valid. The library does not directly return non-HTTP(S) URI contents to the attacker; the chained "plant a JWKS to forge tokens" scenario described in the original report requires additional application-layer flaws (attacker write access to a filesystem path, untrusted jku derivation) that this fix does not address. This vulnerability is fixed in 2.13.0.

references

reference_url

https://github.com/jpadilla/pyjwt/security/advisories/GHSA-993g-76c3-p5m4

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

url

https://github.com/jpadilla/pyjwt/security/advisories/GHSA-993g-76c3-p5m4

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138191
reference_id	1138191
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138191

fixed_packages

url	pkg:pypi/pyjwt@2.13.0
purl	pkg:pypi/pyjwt@2.13.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/pyjwt@2.13.0

aliases CVE-2026-48522, GHSA-993g-76c3-p5m4, PYSEC-2026-175

risk_score 1.9

exploitability 0.5

weighted_severity 3.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cdtk-hczs-jud3

url VCID-gptc-c34t-g3e4

vulnerability_id VCID-gptc-c34t-g3e4

summary PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-32597.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-32597.json

reference_url

https://github.com/jpadilla/pyjwt

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/jpadilla/pyjwt

reference_url

https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f

reference_url

https://lists.debian.org/debian-lts-announce/2026/05/msg00008.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2026/05/msg00008.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-32597

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-32597

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130662
reference_id	1130662
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130662

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2447194
reference_id	2447194
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2447194

reference_url	https://access.redhat.com/errata/RHSA-2026:10140
reference_id	RHSA-2026:10140
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:10140

reference_url	https://access.redhat.com/errata/RHSA-2026:10141
reference_id	RHSA-2026:10141
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:10141

reference_url	https://access.redhat.com/errata/RHSA-2026:10184
reference_id	RHSA-2026:10184
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:10184

reference_url	https://access.redhat.com/errata/RHSA-2026:12176
reference_id	RHSA-2026:12176
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:12176

reference_url	https://access.redhat.com/errata/RHSA-2026:13508
reference_id	RHSA-2026:13508
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:13508

reference_url	https://access.redhat.com/errata/RHSA-2026:13512
reference_id	RHSA-2026:13512
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:13512

reference_url	https://access.redhat.com/errata/RHSA-2026:13545
reference_id	RHSA-2026:13545
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:13545

reference_url	https://access.redhat.com/errata/RHSA-2026:13553
reference_id	RHSA-2026:13553
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:13553

reference_url	https://access.redhat.com/errata/RHSA-2026:13672
reference_id	RHSA-2026:13672
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:13672

reference_url	https://access.redhat.com/errata/RHSA-2026:13916
reference_id	RHSA-2026:13916
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:13916

reference_url	https://access.redhat.com/errata/RHSA-2026:17083
reference_id	RHSA-2026:17083
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17083

reference_url	https://access.redhat.com/errata/RHSA-2026:19138
reference_id	RHSA-2026:19138
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:19138

reference_url	https://access.redhat.com/errata/RHSA-2026:19355
reference_id	RHSA-2026:19355
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:19355

reference_url	https://access.redhat.com/errata/RHSA-2026:19375
reference_id	RHSA-2026:19375
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:19375

reference_url	https://access.redhat.com/errata/RHSA-2026:19712
reference_id	RHSA-2026:19712
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:19712

reference_url	https://access.redhat.com/errata/RHSA-2026:21431
reference_id	RHSA-2026:21431
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:21431

reference_url	https://access.redhat.com/errata/RHSA-2026:21517
reference_id	RHSA-2026:21517
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:21517

reference_url	https://access.redhat.com/errata/RHSA-2026:22330
reference_id	RHSA-2026:22330
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:22330

reference_url	https://access.redhat.com/errata/RHSA-2026:6568
reference_id	RHSA-2026:6568
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6568

reference_url	https://access.redhat.com/errata/RHSA-2026:6720
reference_id	RHSA-2026:6720
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6720

reference_url	https://access.redhat.com/errata/RHSA-2026:6912
reference_id	RHSA-2026:6912
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6912

reference_url	https://access.redhat.com/errata/RHSA-2026:6926
reference_id	RHSA-2026:6926
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6926

reference_url	https://access.redhat.com/errata/RHSA-2026:8437
reference_id	RHSA-2026:8437
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8437

reference_url	https://access.redhat.com/errata/RHSA-2026:8746
reference_id	RHSA-2026:8746
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8746

reference_url	https://access.redhat.com/errata/RHSA-2026:8747
reference_id	RHSA-2026:8747
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8747

reference_url	https://access.redhat.com/errata/RHSA-2026:8748
reference_id	RHSA-2026:8748
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8748

fixed_packages

url pkg:pypi/pyjwt@2.12.0

purl pkg:pypi/pyjwt@2.12.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2n5t-qfqc-mfbv

vulnerability	VCID-35nm-u4sh-nugf

vulnerability	VCID-c1pr-7t6u-hkcr

vulnerability	VCID-cdtk-hczs-jud3

vulnerability	VCID-hqrd-7f5d-nbh1

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pyjwt@2.12.0

aliases CVE-2026-32597, GHSA-752w-5fwx-jx9f, PYSEC-2026-120

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gptc-c34t-g3e4

Fixing_vulnerabilities

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pyjwt@2.6.0

Package Instance