Search for packages
| purl | pkg:deb/debian/python-authlib@1.2.0-1%2Bdeb12u1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-9fxn-u16u-n3f3
Aliases: CVE-2026-44681 GHSA-r95x-qfjj-fjj2 PYSEC-2026-188 |
Affected by 0 other vulnerabilities. |
|
|
VCID-bney-ctyr-1uaf
Aliases: CVE-2026-27962 GHSA-wvwj-cvrp-7pv5 |
Affected by 0 other vulnerabilities. |
|
|
VCID-j4a6-4vvj-x3gq
Aliases: CVE-2026-28498 GHSA-m344-f55w-2m6j |
Affected by 0 other vulnerabilities. |
|
|
VCID-sjwj-7mk7-mych
Aliases: CVE-2026-41425 GHSA-jj8c-mmj3-mmgv PYSEC-2026-25 |
Affected by 0 other vulnerabilities. |
|
|
VCID-spsb-6z2a-3uhh
Aliases: CVE-2026-28490 GHSA-7432-952r-cw78 |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-3ny1-u6w7-jqdz | Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters (crit), violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical header (for example, bork or cnf) that strict verifiers reject but Authlib accepts. In mixed‑language fleets, this enables split‑brain verification and can lead to policy bypass, replay, or privilege escalation. This issue has been patched in version 1.6.4. |
CVE-2025-59420
GHSA-9ggr-2464-2j32 |
| VCID-62ms-nmn4-qyf4 |
CVE-2025-61920
GHSA-pq5p-34cr-23v9 |
|
| VCID-bney-ctyr-1uaf |
CVE-2026-27962
GHSA-wvwj-cvrp-7pv5 |
|
| VCID-j4a6-4vvj-x3gq |
CVE-2026-28498
GHSA-m344-f55w-2m6j |
|
| VCID-kf36-j71r-kqaz |
CVE-2025-62706
GHSA-g7f3-828f-7h7m |
|
| VCID-n7sa-ew5e-pbfk |
CVE-2025-68158
GHSA-fg6f-75jq-6523 |
|
| VCID-spsb-6z2a-3uhh |
CVE-2026-28490
GHSA-7432-952r-cw78 |
|
| VCID-za4z-2u4g-7ydb |
CVE-2024-37568
GHSA-5357-c2jx-v7qh PYSEC-2024-52 |